Sometimes, macOS provides shell commands with more power, and more extensive features, than their neatly-wrapped app version. This is true for Disk Utility, Console, and other major bundled tools. It is also true for Keychain Access, which is now the only utility that can help you fix keychain problems.

Oddly, the command which gives full access to keychains is called simply security. And although it can do many wonderful things with keychains, and could for example be used to automatically create a copy of an existing keychain and make it the login default, it has no command to perform any repair operations.

Those already familiar with command tools will know that you can type
man security
into Terminal to see its documentation. Unfortunately that is so copious and lengthy that you will quickly become lost. The only sensible way to study its capabilities and use is with a documentation browser like Dash, or the rather simpler Man Reader.

security is so complex that it has to be used with a verb selected from a long list. For example, the most basic command, and one which produces some interesting surprises for many users, is
security list-keychains
which lists all keychains. As that will include system keychains, you will probably find
security list-keychains -d user
more useful, as it only lists your current user-level keychains.

Its result here was:
"/Users/hoakley/Library/Keychains/login.keychain-db"
"/Users/hoakley/Library/Keychains/loginMPro.keychain-db"
"/Users/hoakley/Library/Application Support/Adobe/AIR/ELS/com.adobe.formscentral.FormsCentralForAcrobat/PrivateEncryptedDatak"

The first listed is the essential login keychain which is opened when I log into this user account on my Mac. Every user needs their own login keychain, and that is the default, stored in ~/Library/Keychains/login.keychain-db

The second is a copy of an old keychain from my last Mac Pro. One day I’ll copy entries from that into my login keychain to make it complete, but for the moment it ensures that any old apps etc. calling for old usernames and passwords can still find them.

The third is news to me, and obviously a hidden part of Adobe Air. As I don’t know its password, I cannot open it to see what it contains.

Having listed your user keychains, you can then obtain information about each using
security show-keychain-info ~/Library/Keychains/login.keychain-db
and similar, which returns the simple statement
Keychain "/Users/hoakley/Library/Keychains/login.keychain-db" no-timeout

If your login keychain is set to lock automatically after a certain period, then that response will tell you how long before it does that. If you have to keep entering your login password, that is a useful check to see whether that is the problem.

If your login keychain is locking itself and has a timeout set, you can clear it using
security set-keychain-settings ~/Library/Keychains/login.keychain-db

You can also confirm that it is the default user keychain, using
security default-keychain -d user
which should return something like
"/Users/hoakley/Library/Keychains/login.keychain-db"

If that default user keychain is not called login.keychain-db or is not in the standard path of ~/Library/Keychains/ then that will explain why you are having keychain problems.

Settings for keychains are also stored in property lists, which can help solve other problems. The file containing the name and path to your default user keychain, and the keychain search list, is kept in ~/Library/Preferences/com.apple.security.plist Presumably if that becomes corrupted, it too can lead to keychain issues. Rather than throw it away, as you might with other corrupt property lists, it may be better to make a copy and edit that before copying it back. Here is mine for comparison:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DLDBSearchList</key>
<array>
<dict>
<key>DbName</key>
<string>~/Library/Keychains/login.keychain</string>
<key>GUID</key>
<string>{87111ca3-0fa9-1ad4-8b9a-000502b11112}</string>
<key>SubserviceType</key>
<integer>6</integer>
</dict>
<dict>
<key>DbName</key>
<string>~/Library/Keychains/loginMPro.keychain</string>
<key>GUID</key>
<string>{87111ca3-0fa9-1ad4-8b9a-000502b11112}</string>
<key>SubserviceType</key>
<integer>6</integer>
</dict>
<dict>
<key>DbName</key>
<string>~/Library/Application Support/Adobe/AIR/ELS/com.adobe.formscentral.FormsCentralForAcrobat/PrivateEncryptedDatak</string>
<key>GUID</key>
<string>{87111ca3-0fa9-1ad4-8b9a-000502b11112}</string>
<key>SubserviceType</key>
<integer>6</integer>
</dict>
</array>
</dict>
</plist>

The GUID string given for each should be your unique GUID, and the same for each of your keychains. (I have changed the values shown above.)

There are also system equivalents located at /Library/Preferences/com.apple.security.plist and /Library/Preferences/com.apple.security-common.plist, but you should avoid tampering with those, as that is likely to break your system.

In the next couple of days, I will try to incorporate some simple checks into LockRattler, and post a new version here. That might help you understand what could be going wrong with your keychain, perhaps.