hoakley June 18, 2016 Macs, Technology

How to deal with keychain problems in macOS 10.11.2 and later

Keychains – which contain passwords, security certificates, encryption keys, and even secure notes if you wish – are normally fairly stable and robust. But every once in a while, a Mac seems to run into problems with them. Most common is having to keep entering your keychain password, because that keychain seems to lock itself when you’re not looking.

I also remember one particular update to macOS which seemed to cause widespread keychain problems. I am sure that is a thing of the past.

For a long time now, Apple has provided a bundled utility, Keychain Access, which lets us view and alter our keychains. Some time ago, there was a separate tool called Keychain First Aid, which we could run to check and repair wobbly keychains. Then Apple decided to integrate that into Keychain Access: to check and repair a keychain, you then had to open Keychain Access, and run First Aid from its app menu.

Keychain First Aid quietly disappeared at the end of last year, with the 10.11.2 update.

This was apparently because of a security vulnerability, in which malicious software could pose as a keychain component, and create havoc. Not that it ever seems to have been exploited, though.

Apple did sort of tell us, in the security information which accompanied the 10.11.2 update. As I keep records, I can quote the exact words:
Keychain Access
Available for: OS X El Capitan v10.11 and v10.11.1
Impact: A malicious application may be able to masquerade as the Keychain Server.
Description: An issue existed in how Keychain Access interacted with Keychain Agent. This issue was resolved by removing legacy functionality.

The peculiar absence of the words “Keychain First Aid” may of course have been a clerical oversight. Neither can I find any Apple Knowledgebase article explaining this, nor (unsurprisingly) any release notes.

Rumour has it, according to a reported conversation with someone from Apple Support, that Disk Utility now performs keychain checks and repairs if necessary. I cannot confirm this, which may be completely untrue. There doesn’t appear to be any command line tool with an option to perform keychain checking and repair. Maybe Keychain First Aid hasn’t done anything useful for years, and it was just a placebo.

So all that I can suggest, if you are running macOS 10.11.2 or later and are experiencing keychain problems, is to open Disk Utility and run First Aid on your startup volume.

It’s anyone’s guess as to whether that will actually do anything, though.

If it doesn’t, then you can try creating a new, empty keychain, and copying across all the contents of the old one. That may, of course, not work if you have problems with the old keychain, which is why you are doing all this in the first place.

If you have discovered a solution, please let me know.

Postscript: additional and updated information about dealing with keychain problems in macOS Sierra is now provided in this article.

25Comments

Add yours

1

Axel Roest on June 24, 2016 at 11:20 am

Unfortunately, Disk Utility’s First Aid does not repair the Keychain items. I guess we should all pound on the Geniuses at the Apple Bar to fix these issues.

LikeLike
- 2
  
  hoakley on June 24, 2016 at 11:23 am
  
  I suspected that was a stock answer from Support to make someone think that there was a solution. The only answer then must be to create a new blank keychain, and copy items across from the old one. That is not good.
  Howard.
  
  LikeLike
3

Connie on October 24, 2016 at 6:41 pm

Disc Utility did not solve keychain problem!!!! Apple computer engineers are either sadists or idiots!

LikeLike
- 4
  
  hoakley on October 24, 2016 at 6:46 pm
  
  I’m afraid the the only way to deal with a sick keychain is to create a new one, and manually copy the items from the old keychain to the new one. There is no tool at all.
  Howard.
  
  LikeLike
- 5
  
  Hollwood on December 17, 2016 at 4:35 pm
  
  Did you ever resolve the keychain issues on your MacBook??? This is driving me crazy! I thought is was something I did before reading all of the issues online with this. I literally rebuilt my entire keychain 5 times thinking I missed something. 5 days later and who know how many hours behind the keyboard and still same problem. ughhhh!! – Thanks, Hollywood from FL.
  
  LikeLike
  - 6
    
    hoakley on December 17, 2016 at 4:47 pm
    
    One thing which you can now try is downloading and installing the 10.12.2 Combo updater, which is often a fix for resistant problems. I detail this here: https://eclecticlight.co/2016/12/14/the-return-of-the-universal-panacea-install-the-combo-updater/
    Another thing which can cause havoc with keychains is an app which runs periodically and uses your keychain. For example, some apps which claim to ‘clean up’ or perform ‘housekeeping’ have to authenticate, and that can result in periodic errors, which could in turn result in keychain problems. Checking for such apps and services could be very useful.
    The fact is that the great majority of those using 10.12.2 do not experience keychain problems, whether they are kept locally or in iCloud Keychain. Keychains have very little to do with hardware, so they are not likely to vary much between different models. However they are sensitive to third-party software, and that may explain why some people are experiencing problems, but not the majority.
    Howard.
    
    LikeLike
7

Joaquin Rodriguez on November 29, 2016 at 8:01 pm

Let’s just get rid of Keychain. We never had these issues until some moron thought that “Keychain” was a good idea. I can’t get any support from Apple for a product that Apple developed and unilaterally unleashed on its unsuspecting customers. Jiminy Christmas!

LikeLike
- 8
  
  hoakley on November 29, 2016 at 8:05 pm
  
  The snag with getting rid of Keychain is that you still need somewhere to store the secure certificates, passwords, and everything else which is stored in your keychains. So you’d have to replace it with another keychain system.
  We used to have the ability to repair keychains, until OS X 10.11.2. It was removed because it was exploitable. Perhaps Apple should have fixed it instead of trashing the feature.
  Howard.
  
  LikeLike
9

Hollwood on December 17, 2016 at 4:31 pm

Is there really still no fix for the keychain issues for OS X Sierra?!?!?!?!?!?

LikeLike
- 10
  
  hoakley on December 17, 2016 at 4:35 pm
  
  Apple has not notified us of any bug fixes. That may mean that there are no bugs, or that they have still not fixed bugs which they know about.
  Howard.
  
  LikeLike
11

realdannys on February 8, 2017 at 1:05 pm

My keychain issue is that whenever I click in a username box I get a spinning beachball for a few seconds – most annoying. My iMac with the same iCloud keychain doesn’t do this, it works instantly. My old MacBook Pro didn’t do this, it’s only started since I cloned over to the touchbar MBP. I’ve tried deleting the keychain and resyncing it from scratch but once the keychain syncs over it still happens! I’ve deleted lots of old login entires in the keychain assuming it was getting stuck looking through ones and it has sped it up a bit, but it still locks up for a second when clicking on any login box.

LikeLike
- 12
  
  hoakley on February 8, 2017 at 1:15 pm
  
  I’d be surprised if that’s a keychain problem. If you have cloned the system from an older MacBook Pro, there’s a fair bet that you have brought across some old bits that are causing this.
  How much did you clone across, or was it just a migration?
  Howard.
  
  LikeLike
  - 13
    
    realdannys on February 8, 2017 at 9:27 pm
    
    Full Carbon Copy Clone. The problem only happens when accessing passwords stored in keychain, so I don’t see how it could be a problem to do with anything else.
    
    Have booted safe mode, reset PRRam, SMC, installed latest combo updated. Nada.
    
    If I delete everything (turn off iCloud keychain) and say add one password, it works just fine, and it’s got faster since I deleted many passwords, but still, I only have a couple of hundred stored not thousands and its not happening on my other Macs, so its very strange.
    
    LikeLike
    - 14
      
      hoakley on February 8, 2017 at 9:32 pm
      
      Ah – you’re using iCloud keychain. I’d be tempted to switch back to using a local keychain for now if you can.
      Howard.
      
      LikeLike
    - 15
      
      realdannys on February 8, 2017 at 9:36 pm
      
      Hmmm, not really a solution though that is it. More of an inconvenience. I have 4 Macs to manage so iCloud keychain is ideal to pick up work on any of them and there’s no reason it should happen. Then again macOS these days is full of things that shouldn’t happen.
      
      LikeLike
    - 16
      
      hoakley on February 8, 2017 at 9:40 pm
      
      I agree. But if the problem vanishes when you use a local keychain, you will at least know where the problem lies, even if there isn’t much that you can do about it. Why it should affect just this latest MacBook Pro and not your other Macs is also a mystery, especially after a Combo update.
      Howard.
      
      LikeLike
    - 17
      
      realdannys on February 8, 2017 at 9:48 pm
      
      I don’t think it’s the iCloud side as such, because you can of course turn that off and leave the downloaded keychain in tact and it continues to do the same. I’m sure if I manually copied them i’d get to the same issue.
      A test I need to do is create a new user account and sync them across to that and see what happens. Most of the time you find a new user account fixes things – however it’s not exactly a great solution either as that means starting from scratch with everything, sigh.
      
      LikeLike
    - 18
      
      hoakley on February 8, 2017 at 10:02 pm
      
      A new user account is a good way of telling whether the file(s) causing the problem are hidden somewhere in /Library (or /System/Library), or in ~/Library, generally speaking, although it is of course also sensitive to keychains.
      If only we had a way of repairing keychains other than manually creating a new one and copying across everything from the old one.
      Howard.
      
      LikeLike
  - 19
    
    cavenewt on February 22, 2017 at 5:29 pm
    
    Have you tried deleting the keychain preference? ~Library/Preferences/com.apple.keychainaccess.plist on my Yosemite system.
    
    LikeLike
    - 20
      
      hoakley on February 22, 2017 at 6:14 pm
      
      In Sierra (and I think El Capitan) it is in ~/Library/Preferences/com.apple.security.plist, and discussed in this article.
      Howard.
      
      LikeLike
- 21
  
  cavenewt on February 22, 2017 at 5:24 pm
  
  Any time I clone a system to different hardware, I always follow up by reinstalling the latest Combo updater. This will install missing bits required by the different hardware, and is also a pretty good troubleshooting step in any case.
  
  LikeLike
22

Robert on October 14, 2017 at 2:42 pm

Hey do you know where i can look for lost passwords? The are gone both from safari settings and keychain access?

LikeLike
- 23
  
  hoakley on October 14, 2017 at 2:53 pm
  
  Safari uses the same login keychain to which Keychain Access gives you access.
  If you are using iCloud Keychain, then they have probably gone for good as that doesn’t seem to get backed up at all.
  If you are not, then look in ~/Library/Keychains in your Time Machine (or other) backups. You will need to locate the login keychain there, and make a copy in another folder like Documents. Change its name from login to, say, oldlogin, and then put it in your current ~/Library/Keychains folder.
  Then open that keychain using Keychain Access, giving the normal login password to unlock it, and you should find the old passwords still there.
  Howard.
  
  LikeLike
24

Macman on May 22, 2018 at 1:34 am

Firstly I can no longer see my download on 10.12 in my previous downloads OS X App store, possibly because it was a massive failure? The keychain vulnerability is nothing like the gapping hole when Apple developers (the kindergarten) left the front door WIDE OPEN, type root for password hit enter twice (blank password). LMFAO

The switch from Unix permission too ACL’s has been painful and a typical Apple need jerk action in implementing.
Going forward your OS X is going to become more like an automated iPad (seeing as the iOS team is now also the OS X team), Its all about No Feedback, No Clue no educating users and relying on what Apple call geniuses in a store full of car salesmen (Genius now = anybody off the street with Apples selected sales training)
Here are some steps we use to fix issues.
1. Give the users/home folder admin r/w access and click the cog and apply to enclosed
2. Go to user accounts in preferences and unlock at bottom, now right click on user to see advanced options popup, click create new UUID
3. Restart holding down shift the whole way (clears firewall sandpit)
4. Restart once on the desktop

LikeLike
- 25
  
  hoakley on May 22, 2018 at 5:45 am
  
  Thank you. Several issues:
  – you should still be able to see all your previous Purchases in the App Store. If not, check you are using the correct Apple ID.
  – High Sierra’s most obvious security flaws have now, it seems, been fixed.
  – macOS has not switched from Unix permissions. ACLs are a long-standing additional feature of macOS, and are not the primary means of access control.
  – although there is a lot of common code, there are still plenty of macOS engineers.
  – your experience with the Genius Bar is very different from most people’s.
  – you can find separate articles here dealing with Home folder permissions.
  – creating a new user UUID is only likely to cause problems rather than solve any. What is the purpose in doing so?
  – you should have the firewall turned on in your router rather than in macOS.
  Howard.
  
  LikeLike