What order does the keychain look up happen?

Example for google.com as an item name, I have two keychain items with the name "Foo", one in KeychainA another in keychainB.

When I run the following which password should be retrieved? Password from KeychainA or KeychainB?

Does it retrieve items from keychains by prioritizing retrieval from 'default' keychain first? Or it's sorted by the keychain name? or it prioritizes items based on date?

security find-generic-password -w -s 'google.com' -a 'Foo'

I asked because we often have certs that are duplicated across keychains and when I run the command above, the item is retrieved from a locked keychain. Which causes an OS prompt and that halts our Jenkins/CI.

To start, read On Mac Keychains. Everything I’m discussing here refers to the file-based keychain, not the data protection keychain.

The keychain APIs search for keychain items based on the keychain search list. You can access that programmatically but here I suspect that you just want to poke around at it, in which case I recommend the list-keychains subcommand of the security tool. For details, see the security man page.

I asked because we often have certs that are duplicated across keychains and when I run the command above, the item is retrieved from a locked keychain.

Are these actually duplicates? Or just certificates with similar names?

If it’s the former, why do you have duplicates? That seems… redundant.

If it’s the latter, I recommend that you switch to SHA-1 hashes. I talk about this in Creating Distribution-Signed Code for Mac.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

What order does the keychain look up happen?
 
 
Q