Skip to content

Instantly share code, notes, and snippets.

@tamakiii

tamakiii/README.md

Created May 7, 2023 09:44
Show Gist options
  • Save tamakiii/9c3eadc493597ed819b9ff96cbcf61d4 to your computer and use it in GitHub Desktop.
Save tamakiii/9c3eadc493597ed819b9ff96cbcf61d4 to your computer and use it in GitHub Desktop.
Download ZIP
Working with credentials managed by Keychain Access in CLI on macOS
Raw
README.md

Export to Environment variable

export OPENAI_API_KEY=$(security find-generic-password -s OPENAI_API_KEY -a $(whoami) -w)

Copy to clipboard

security find-generic-password -s OPENAI_API_KEY -a $(whoami) -w | pbcopy

Register

security add-generic-password -s OPENAI_API_KEY -a $(whoami) -w $(pbpaste)

Update

security add-generic-password -s OPENAI_API_KEY -a $(whoami) -w $(pbpaste) -U

Delete

security delete-generic-password -s OPENAI_API_KEY -a $(whoami) -w

Launch app

open /System/Applications/Utilities/Keychain\ Access.app

References

Raw
man-security.txt
$ man security | cat
security(1) General Commands Manual security(1)
NAME
security – Command line interface to keychains and Security framework
SYNOPSIS
security [-hilqv] [-p prompt] [command] [command_options] [command_args]
DESCRIPTION
A simple command line interface which lets you administer keychains,
manipulate keys and certificates, and do just about anything the Security
framework is capable of from the command line.
By default security will execute the command supplied and report if
anything went wrong.
If the -i or -p options are provided, security will enter interactive
mode and allow the user to enter multiple commands on stdin. When EOF is
read from stdin security will exit.
Here is a complete list of the options available:
-h If no arguments are specified, show a list of all commands. If
arguments are provided, show usage for each the specified
commands. This option is essentially the same as the help
command.
-i Run security in interactive mode. A prompt (security> by
default) will be displayed and the user will be able to type
commands on stdin until an EOF is encountered.
-l Before security exits, run
/usr/bin/leaks -nocontext
on itself to see if the command(s) you executed had any leaks.
-p prompt
This option implies the -i option but changes the default prompt
to the argument specified instead.
-q Will make security less verbose.
-v Will make security more verbose.
SECURITY COMMAND SUMMARY
security provides a rich variety of commands (command in the SYNOPSIS),
each of which often has a wealth of options, to allow access to the broad
functionality provided by the Security framework. However, you don't
have to master every detail for security to be useful to you.
Here are brief descriptions of all the security commands:
help Show all commands, or show usage for a
command.
list-keychains Display or manipulate the keychain search
list.
default-keychain Display or set the default keychain.
login-keychain Display or set the login keychain.
create-keychain Create keychains.
delete-keychain Delete keychains and remove them from the
search list.
lock-keychain Lock the specified keychain.
unlock-keychain Unlock the specified keychain.
set-keychain-settings Set settings for a keychain.
set-keychain-password Set password for a keychain.
show-keychain-info Show the settings for keychain.
dump-keychain Dump the contents of one or more keychains.
create-keypair Create an asymmetric key pair.
add-generic-password Add a generic password item.
add-internet-password Add an internet password item.
add-certificates Add certificates to a keychain.
find-generic-password Find a generic password item.
delete-generic-password Delete a generic password item.
set-generic-password-partition-list
Set the partition list of a generic password
item.
find-internet-password Find an internet password item.
delete-internet-password Delete an internet password item.
set-internet-password-partition-list
Set the partition list of a internet password
item.
find-key Find keys in the keychain
set-key-partition-list Set the partition list of a key.
find-certificate Find a certificate item.
find-identity Find an identity (certificate + private key).
delete-certificate Delete a certificate from a keychain.
delete-identity Delete a certificate and its private key from
a keychain.
set-identity-preference Set the preferred identity to use for a
service.
get-identity-preference Get the preferred identity to use for a
service.
create-db Create a db using the DL.
export Export items from a keychain.
import Import items into a keychain.
cms Encode or decode CMS messages.
install-mds Install (or re-install) the MDS database.
add-trusted-cert Add trusted certificate(s).
remove-trusted-cert Remove trusted certificate(s).
dump-trust-settings Display contents of trust settings.
user-trust-settings-enable Display or manipulate user-level trust
settings.
trust-settings-export Export trust settings.
trust-settings-import Import trust settings.
verify-cert Verify certificate(s).
authorize Perform authorization operations.
authorizationdb Make changes to the authorization policy
database.
execute-with-privileges Execute tool with privileges.
leaks Run /usr/bin/leaks on this process.
smartcards Enable, disable or list disabled smartcard
tokens.
list-smartcards Display available smartcards.
export-smartcard Export/display items from a smartcard.
error Display a descriptive message for the given
error code(s).
COMMON COMMAND OPTIONS
This section describes the command_options that are available across all
security commands.
-h Show a usage message for the specified command. This option is
essentially the same as the help command.
SECURITY COMMANDS
Here (finally) are details on all the security commands and the options
each accepts.
help [-h] Show all commands, or show usage for a command.
list-keychains [-h] [-d user|system|common|dynamic] [-s [keychain...]]
Display or manipulate the keychain search list.
-d user|system|common|dynamic
Use the specified preference domain.
-s Set the search list to the specified keychains.
default-keychain [-h] [-d user|system|common|dynamic] [-s [keychain]]
Display or set the default keychain.
-d user|system|common|dynamic
Use the specified preference domain.
-s Set the default keychain to the specified keychain.
Unset it if no keychain is specified.
login-keychain [-h] [-d user|system|common|dynamic] [-s [keychain]]
Display or set the login keychain.
-d user|system|common|dynamic
Use the specified preference domain.
-s Set the login keychain to the specified keychain. Unset
it if no keychain is specified.
create-keychain [-hP] [-p password] [keychain...] Create keychains.
-P Prompt the user for a password using the
SecurityAgent.
-p password Use password as the password for the keychains
being created.
If neither -P or -p password are specified, the user is prompted
for a password on the command line. Use of the -p option is
insecure.
delete-keychain [-h] [keychain...] Delete keychains and remove them from
the search list.
lock-keychain [-h] [-a|keychain] Lock keychain, or the default keychain
if none is specified. If the -a option is specified, all keychains are
locked.
unlock-keychain [-hu] [-p password] [keychain] Unlock keychain, or the
default keychain if none is specified.
set-keychain-settings [-hlu] [-t timeout] [keychain] Set settings for
keychain, or the default keychain if none is specified.
-l Lock keychain when the system sleeps.
-u Lock keychain after timeout interval.
-t timeout Specify timeout interval in seconds (omitting this
option specifies "no timeout").
set-keychain-password [-h] [-o oldPassword] [-p newPassword] [keychain]
Set password for keychain, or the default keychain if none is specified.
-o oldPassword Old keychain password (if not provided, will
prompt)
-p newPassword New keychain password (if not provided, will
prompt)
show-keychain-info [-h] [keychain] Show the settings for keychain.
dump-keychain [-adhir] Dump the contents of one or more keychains.
-a Dump access control list of items
-d Dump (decrypted) data of items
-i Interactive access control list editing mode
-r Dump raw (encrypted) data of items
create-keypair [-h] [-a alg] [-s size] [-f date] [-t date] [-d days] [-k
keychain] [-A|-T appPath] [name] Create an asymmetric key pair.
-a alg Use alg as the algorithm, can be rsa, dh, dsa or
fee (default rsa)
-s size Specify the keysize in bits (default 512)
-f date Make a key valid from the specified date (ex:
"13/11/10 3:30pm")
-t date Make a key valid to the specified date
-d days Make a key valid for the number of days specified
from today
-k keychain Use the specified keychain rather than the default
-A Allow any application to access this key without
warning (insecure, not recommended!)
-T appPath Specify an application which may access this key
(multiple -T options are allowed)
add-generic-password [-h] [-a account] [-s service] [-w password]
[options...] [keychain] Add a generic password item.
-a account Specify account name (required)
-c creator Specify item creator (optional four-character
code)
-C type Specify item type (optional four-character code)
-D kind Specify kind (default is "application password")
-G value Specify generic attribute value (optional)
-j comment Specify comment string (optional)
-l label Specify label (if omitted, service name is used as
default label)
-s service Specify service name (required)
-p password Specify password to be added (legacy option,
equivalent to -w)
-w password Specify password to be added. Put at end of
command to be prompted (recommended)
-A Allow any application to access this item without
warning (insecure, not recommended!)
-T appPath Specify an application which may access this item
(multiple -T options are allowed)
-U Update item if it already exists (if omitted, the
item cannot already exist)
-X password Specify password data to be added as a hexadecimal
string
By default, the application which creates an item is trusted to
access its data without warning. You can remove this default
access by explicitly specifying an empty app pathname: -T "". If
no keychain is specified, the password is added to the default
keychain.
add-internet-password [-h] [-a account] [-s server] [-w password]
[options...] [keychain] Add an internet password item.
-a account Specify account name (required)
-c creator Specify item creator (optional four-character
code)
-C type Specify item type (optional four-character code)
-d domain Specify security domain string (optional)
-D kind Specify kind (default is "application password")
-j comment Specify comment string (optional)
-l label Specify label (if omitted, service name is used as
default label)
-p path Specify path string (optional)
-P port Specify port number (optional)
-r protocol Specify protocol (optional four-character
SecProtocolType, e.g. "http", "ftp ")
-s server Specify server name (required)
-t authenticationType
Specify authentication type (as a four-character
SecAuthenticationType, default is "dflt")
-w password Specify password to be added. Put at end of
command to be prompted (recommended)
-A Allow any application to access this item without
warning (insecure, not recommended!)
-T appPath Specify an application which may access this item
(multiple -T options are allowed)
-U Update item if it already exists (if omitted, the
item cannot already exist)
-X password Specify password data to be added as a hexadecimal
string
By default, the application which creates an item is trusted to
access its data without warning. You can remove this default
access by explicitly specifying an empty app pathname: -T "". If
no keychain is specified, the password is added to the default
keychain.
add-certificates [-h] [-k keychain] file... Add certficates contained in
the specified files to the default keychain. The files must contain one
DER encoded X509 certificate each.
-k keychain Use keychain rather than the default keychain.
find-generic-password [-h] [-a account] [-s service] [-options...] [-g]
[-keychain...] Find a generic password item.
-a account Match account string
-c creator Match creator (four-character code)
-C type Match type (four-character code)
-D kind Match kind string
-G value Match value string (generic attribute)
-j comment Match comment string
-l label Match label string
-s service Match service string
-g Display the password for the item found
-w Display the password(only) for the item found
delete-generic-password [-h] [-a account] [-s service] [-options...]
[-keychain...] Delete a generic password item.
-a account Match account string
-c creator Match creator (four-character code)
-C type Match type (four-character code)
-D kind Match kind string
-G value Match value string (generic attribute)
-j comment Match comment string
-l label Match label string
-s service Match service string
delete-internet-password [-h] [-a account] [-s server] [options...]
[keychain...] Delete an internet password item.
-a account Match account string
-c creator Match creator (four-character code)
-C type Match type (four-character code)
-d securityDomain
Match securityDomain string
-D kind Match kind string
-j comment Match comment string
-l label Match label string
-p path Match path string
-P port Match port number
-r protocol Match protocol (four-character code)
-s server Match server string
-t authenticationType
Match authenticationType (four-character code)
find-internet-password [-h] [-a account] [-s server] [options...] [-g]
[keychain...] Find an internet password item.
-a account Match account string
-c creator Match creator (four-character code)
-C type Match type (four-character code)
-d securityDomain
Match securityDomain string
-D kind Match kind string
-j comment Match comment string
-l label Match label string
-p path Match path string
-P port Match port number
-r protocol Match protocol (four-character code)
-s server Match server string
-t authenticationType
Match authenticationType (four-character code)
-g Display the password for the item found
-w Display the password(only) for the item found
find-key [options...] [keychain...] Search the keychain for keys.
-a application-label
Match "application label" string
-c creator Match creator (four-character code)
-d Match keys that can decrypt
-D description Match "description" string
-e Match keys that can encrypt
-j comment Match comment string
-l label Match label string
-r Match keys that can derive
-s Match keys that can sign
-t type Type of key to find: one of "symmetric", "public",
or "private"
-u Match keys that can unwrap
-v Match keys that can verify
-w Match keys that can wrap
set-generic-password-partition-list [-a account] [-s service] [-S
<partition list (comma separated)>] [-k <keychain password>] [options...]
[keychain] Sets the "partition list" for a generic password. The
"partition list" is an extra parameter in the ACL which limits access to
the item based on an application's code signature. You must present the
keychain's password to change a partition list.
-S partition-list
Comma-separated partition list. See output of
"security dump-keychain" for examples.
-k password Password for keychain
-a account Match account string
-c creator Match creator (four-character code)
-C type Match type (four-character code)
-D kind Match kind string
-G value Match value string (generic attribute)
-j comment Match comment string
-l label Match label string
-s service Match service string
set-internet-password-partition-list [-a account] [-s server] [-S
<partition list (comma separated)>] [-k <keychain password>] [options...]
[keychain] Sets the "partition list" for an internet password. The
"partition list" is an extra parameter in the ACL which limits access to
the item based on an application's code signature. You must present the
keychain's password to change a partition list.
-S partition-list
Comma-separated partition list. See output of
"security dump-keychain" for examples.
-k password Password for keychain
-a account Match account string
-c creator Match creator (four-character code)
-C type Match type (four-character code)
-d securityDomain
Match securityDomain string
-D kind Match kind string
-j comment Match comment string
-l label Match label string
-p path Match path string
-P port Match port number
-r protocol Match protocol (four-character code)
-s server Match server string
-t authenticationType
Match authenticationType (four-character code)
set-key-partition-list [-S <partition list (comma separated)>] [-k
<keychain password>] [options...] [keychain] Sets the "partition list"
for a key. The "partition list" is an extra parameter in the ACL which
limits access to the key based on an application's code signature. You
must present the keychain's password to change a partition list. If you'd
like to run /usr/bin/codesign with the key, "apple:" must be an element
of the partition list.
-S partition-list
Comma-separated partition list. See output of
"security dump-keychain" for examples.
-k password Password for keychain
-a application-label
Match "application label" string
-c creator Match creator (four-character code)
-d Match keys that can decrypt
-D description Match "description" string
-e Match keys that can encrypt
-j comment Match comment string
-l label Match label string
-r Match keys that can derive
-s Match keys that can sign
-t type Type of key to find: one of "symmetric", "public",
or "private"
-u Match keys that can unwrap
-v Match keys that can verify
-w Match keys that can wrap
find-certificate [-h] [-a] [-c name] [-e emailAddress] [-m] [-p] [-Z]
[keychain...] Find a certificate item. If no keychain arguments are
provided, the default search list is used.
Options:
-a Find all matching certificates, not just the first
one
-c name Match on name when searching (optional)
-e emailAddress
Match on emailAddress when searching (optional)
-m Show the email addresses in the certificate
-p Output certificate in pem format. Default is to
dump the attributes and keychain the cert is in.
-Z Print SHA-256 (and SHA-1) hash of the certificate
Examples
security> find-certificate -a -p > allcerts.pem
Exports all certificates from all keychains into a pem
file called allcerts.pem.
security> find-certificate -a -e [email protected] -p > certs.pem
Exports all certificates from all keychains with the
email address [email protected] into a pem file called
certs.pem.
security> find-certificate -a -c MyName -Z login.keychain | grep
^SHA-256
Print the SHA-256 hash of every certificate in
'login.keychain' whose common name includes 'MyName'
find-identity [-h] [-p policy] [-s string] [-v] [keychain...] Find an
identity (certificate + private key) satisfying a given policy. If no
policy arguments are provided, the X.509 basic policy is assumed. If no
keychain arguments are provided, the default search list is used.
Options:
-p policy Specify policy to evaluate (multiple -p options
are allowed). Supported policies: basic, ssl-
client, ssl-server, smime, eap, ipsec, ichat,
codesigning, sys-default, sys-kerberos-kdc
-s string Specify optional policy-specific string (e.g. a
DNS hostname for SSL, or RFC822 email address for
S/MIME)
-v Show valid identities only (default is to show all
identities)
Examples
security> find-identity -v -p ssl-client
Display valid identities that can be used for SSL client
authentication
security> find-identity -p ssl-server -s www.domain.com
Display identities for a SSL server running on the host
'www.domain.com'
security> find-identity -p smime -s [email protected]
Display identities that can be used to sign a message
from '[email protected]'
delete-certificate [-h] [-c name] [-Z hash] [-t] [keychain...] Delete a
certificate from a keychain. If no keychain arguments are provided, the
default search list is used.
-c name Specify certificate to delete by its common name
-Z hash Specify certificate to delete by its SHA-256 (or
SHA-1) hash
-t Also delete user trust settings for this
certificate
The certificate to be deleted must be uniquely specified either by
a string found in its common name, or by its SHA-256 (or SHA-1)
hash.
delete-identity [-h] [-c name] [-Z hash] [-t] [keychain...] Delete a
certificate and its private key from a keychain. If no keychain
arguments are provided, the default search list is used.
-c name Specify certificate to delete by its common name
-Z hash Specify certificate to delete by its SHA-256 (or
SHA-1) hash
-t Also delete user trust settings for this identity
certificate
The identity to be deleted must be uniquely specified either by a
string found in its common name, or by its SHA-256 (or SHA-1)
hash.
set-identity-preference [-h] [-n] [-c identity] [-s service] [-u
keyUsage] [-Z hash] [keychain...] Set the preferred identity to use for a
service.
-n Specify no identity (clears existing preference
for the given service)
-c identity Specify identity by common name of the certificate
-s service Specify service (may be a URL, RFC822 email
address, DNS host, or other name) for which this
identity is to be preferred
-u keyUsage Specify key usage (optional)
-Z hash Specify identity by SHA-256 (or SHA-1) hash of
certificate (optional)
The identity is located by searching the specified keychain(s) for
a certificate whose common name contains the given identity
string. If no keychains are specified to search, the default
search list is used. Different identity preferences can be set for
individual key usages. You can differentiate between two
identities which contain the same string by providing a SHA-256
(or SHA-1) hash of the certificate in addition to, or instead of,
the name.
PARTIAL PATHS AND WILDCARDS
Prior to 10.5.4, identity preferences for SSL/TLS client
authentication could only be set on a per-URL basis. The URL being
visited had to match the service name exactly for the preference
to be in effect.
In 10.5.4, it became possible to specify identity preferences on a
per-server basis, by using a service name with a partial path URL
to match more specific paths on the same server. For example, if
an identity preference for "https://www.apache-ssl.org/" exists,
it will be in effect for "https://www.apache-ssl.org/cgi/cert-
export", and so on. Note that partial path URLs must end with a
trailing slash character.
Starting with 10.6, it is possible to specify identity preferences
on a per-domain basis, by using the wildcard character '*' as the
leftmost component of the service name. Unlike SSL wildcards, an
identity preference wildcard can match more than one subdomain.
For example, an identity preference for the name "*.army.mil" will
match "server1.subdomain1.army.mil" or
"server2.subdomain2.army.mil". Likewise, a preference for "*.mil"
will match both "server.army.mil" and "server.navy.mil".
KEY USAGE CODES
0 - preference is in effect for all possible key usages
(default)
1 - encryption only
2 - decryption only
4 - signing only
8 - signature verification only
16 - signing with message recovery only
32 - signature verification with message recovery only
64 - key wrapping only
128 - key unwrapping only
256 - key derivation only
To specify more than one usage, add values together.
get-identity-preference [-h] [-s service] [-u keyUsage] [-p] [-c] [-Z]
Get the preferred identity to use for a service.
-s service Specify service (may be a URL, RFC822 email
address, DNS host, or other name)
-u keyUsage Specify key usage (optional)
-p Output identity certificate in pem format
-c Print common name of the preferred identity
certificate
-Z Print SHA-256 (and SHA-1) hash of the preferred
identity certificate
create-db [-aho0] [-g dl|cspdl] [-m mode] [name] Create a db using the
DL. If name isn't provided security will prompt the user to type a name.
Options:
-a Turn off autocommit
-g dl|cspdl Use the AppleDL (default) or AppleCspDL
-m mode Set the file permissions to mode.
-o Force using openparams argument
-0 Force using version 0 openparams
Examples
security> create-db -m 0644 test.db
security> create-db -g cspdl -a test2.db
export [-k keychain] [-t type] [-f format] [-w] [-p format] [-P
passphrase] [-o outfile] Export one or more items from a keychain to one
of a number of external representations. If keychain isn't provided,
items will be exported from the user's default keychain.
Options:
-k keychain Specify keychain from which item(s) will be
exported.
-t type Specify the type of items to export. Possible
types are certs, allKeys, pubKeys, privKeys,
identities, and all. The default is all. An
identity consists of both a certificate and the
corresponding private key.
-f format Specify the format of the exported data. Possible
formats are openssl, bsafe, pkcs7, pkcs8, pkcs12,
x509, openssh1, openssh2, and pemseq. The default
is pemseq if more than one item is being exported.
The default is openssl if one key is being
exported. The default is x509 if one certificate
is being exported.
-w Specifies that private keys are to be wrapped on
export.
-p Specifies that PEM armour is to be applied to the
output data.
-P passphrase Specify the wrapping passphrase immediately. The
default is to obtain a secure passphrase via GUI.
-o outfile Write the output data to outfile. Default is to
write data to stdout.
Examples
security> export -k login.keychain -t certs -o /tmp/certs.pem
security> export -k newcert.keychain -t identities -f pkcs12 -o
/tmp/mycerts.p12
import inputfile [-k keychain] [-t type] [-f format] [-w] [-P passphrase]
[options...] Import one or more items from inputfile into a keychain. If
keychain isn't provided, items will be imported into the user's default
keychain.
Options:
-k keychain Specify keychain into which item(s) will be
imported.
-t type Specify the type of items to import. Possible
types are cert, pub, priv, session, cert, and agg.
Pub, priv, and session refer to keys; agg is one
of the aggregate types (pkcs12 and PEM sequence).
The command can often figure out what item_type an
item contains based in the filename and/or
item_format.
-f format Specify the format of the exported data. Possible
formats are openssl, bsafe, raw, pkcs7, pkcs8,
pkcs12, x509, openssh1, openssh2, and pemseq. The
command can often figure out what format an item
is in based in the filename and/or item_type.
-w Specify that private keys are wrapped and must be
unwrapped on import.
-x Specify that private keys are non-extractable
after being imported.
-P passphrase Specify the unwrapping passphrase immediately. The
default is to obtain a secure passphrase via GUI.
-a attrName attrValue
Specify optional extended attribute name and
value. Can be used multiple times. This is only
valid when importing keys.
-A Allow any application to access the imported key
without warning (insecure, not recommended!)
-T appPath Specify an application which may access the
imported key (multiple -T options are allowed)
Examples
security> import /tmp/certs.pem -k
security> import /tmp/mycerts.p12 -t agg -k newcert.keychain
security> import /tmp/mycerts.p12 -f pkcs12 -k newcert.keychain
cms [-C|-D|-E|-S] [options...] Encode or decode CMS messages.
-C create a CMS encrypted message
-D decode a CMS message
-E create a CMS enveloped message
-S create a CMS signed message
Decoding options:
-c content use this detached content file
-h level generate email headers with info about CMS message
(output level >= 0)
-n suppress output of content
Encoding options:
-r id,... create envelope for comma-delimited list of
recipients, where id can be a certificate nickname
or email address
-G include a signing time attribute
-H hash hash = MD2|MD4|MD5|SHA1|SHA256|SHA384|SHA512
(default: SHA1)
-N nick use certificate named "nick" for signing
-P include a SMIMECapabilities attribute
-T do not include content in CMS message
-Y nick include an EncryptionKeyPreference attribute with
certificate (use "NONE" to omit)
-Z hash find a certificate by subject key ID
Common options:
-e envelope specify envelope file (valid with -D or -E)
-k keychain specify keychain to use
-i infile use infile as source of data (default: stdin)
-o outfile use outfile as destination of data (default:
stdout)
-p password use password as key db password (default: prompt)
-s pass data a single byte at a time to CMS
-u certusage set type of certificate usage (default:
certUsageEmailSigner)
-v print debugging information
Cert usage codes:
0 - certUsageSSLClient
1 - certUsageSSLServer
2 - certUsageSSLServerWithStepUp
3 - certUsageSSLCA
4 - certUsageEmailSigner
5 - certUsageEmailRecipient
6 - certUsageObjectSigner
7 - certUsageUserCertImport
8 - certUsageVerifyCA
9 - certUsageProtectedObjectSigner
10 - certUsageStatusResponder
11 - certUsageAnyCA
install-mds Install (or re-install) the Module Directory Services (MDS)
database. This is a system tool which is not normally used by users.
There are no options.
add-trusted-cert [-d] [-r resultType] [-p policy] [-a appPath] [-s
policyString] [-e allowedError] [-u keyUsage] [-k keychain] [-i
settingsFileIn] [-o settingsFileOut] certFile Add certificate (in DER or
PEM format) from certFile to per-user or local Admin Trust Settings. When
modifying per-user Trust Settings, user authentication is required via an
authentication dialog. When modifying admin Trust Settings, the process
must be running as root, or admin authentication is required.
Options:
-d Add to admin cert store; default is user.
-r resultType resultType =
trustRoot|trustAsRoot|deny|unspecified; default is
trustRoot.
-p policy Specify policy constraint (ssl, smime, codeSign,
IPSec, basic, swUpdate, pkgSign, eap, macappstore,
appleID, timestamping).
-a appPath Specify application constraint.
-s policyString
Specify policy-specific string.
-e allowedError
Specify allowed error (an integer value, or one
of: certExpired, hostnameMismatch)
-u keyUsage Specify key usage, an integer.
-k keychain Specify keychain to which cert is added.
-i settingsFileIn
Input trust settings file; default is user domain.
-o settingsFileOut
Output trust settings file; default is user
domain.
Key usage codes:
-1 - Any
1 - Sign
2 - Encrypt/Decrypt Data
4 - Encrypt/Decrypt Key
8 - Sign certificate
16 - Sign revocation
32 - Key exchange
To specify more than one usage, add values together (except -1
- Any).
Examples
security> add-trusted-cert /tmp/cert.der
security> add-trusted-cert -d .tmp/cert.der
remove-trusted-cert [-d] certFile Remove certificate (in DER or
PEM format) in certFile from per-user or local Admin Trust
Settings. When modifying per-user Trust Settings, user
authentication is required via an authentication dialog. When
modifying admin Trust Settings, the process must be running as
root, or admin authentication is required.
Options:
-d Remove from admin cert store; default is
user.
dump-trust-settings [-s] [-d] Display Trust Settings.
Options:
-s Display trusted system certs; default is
user.
-d Display trusted admin certs; default is
user.
user-trust-settings-enable [-d] [-e] Display or manipulate user-
level Trust Settings. With no arguments, shows the current state
of the user-level Trust Settings enable. Otherwise enables or
disables user-level Trust Settings.
Options:
-d Disable user-level Trust Settings.
-e Enable user-level Trust Settings.
trust-settings-export [-s] [-d] settings_file Export Trust
Settings to the specified file.
Options:
-s Export system Trust Settings; default is
user.
-d Export admin Trust Settings; default is
user.
trust-settings-import [-d] settings_file Import Trust Settings
from the specified file. When modifying per-user Trust Settings,
user authentication is required via an authentication dialog. When
modifying admin Trust Settings, the process must be running as
root, or admin authentication is required.
Options:
-d Import admin Trust Settings; default is
user.
verify-cert [-c certFile] [-r rootCertFile] [-p policy] [-C] [-d
date] [-k keychain] [-n name] [-N] [-L] [-l] [-e emailAddress] [-s
sslHost] [-q] [-R revCheckOption] [-P] [-t] [-v] [url] Verify one
or more certificates. If a direct URL argument is provided, a TLS
connection is attempted and the certificate presented by that
server is evaluated according to standard SSL server policy; other
certificates or policy options will be ignored in this case.
Options:
-c certFile Certificate to verify, in DER or PEM
format. Can be specified more than once;
leaf certificate has to be specified first.
-r rootCertFile
Root certificate, in DER or PEM format. Can
be specified more than once. If not
specified, the system anchor certificates
are used. If one root certificate is
specified, and zero (non-root) certificates
are specified, the root certificate is
verified against itself.
-p policy Specify verification policy (ssl, smime,
codeSign, IPSec, basic, swUpdate, pkgSign,
eap, appleID, macappstore, timestamping).
Default is basic.
-C Specify this evaluation is for client
usage, if the verification policy (e.g.
ssl) distinguishes between client and
server usage. Default is server usage.
-d date Date to set for verification. Specified in
the format of YYYY-MM-DD-hh:mm:ss (time
optional). e.g: 2016-04-25-15:59:59 for
April 25, 2016 at 3:59:59 pm in GMT
-k keychain Keychain to search for intermediate CA
certificates. Can be specified multiple
times. Default is the current user's
keychain search list.
-n name Specify a name to be verified, e.g. the SSL
host name for the ssl policy, or RFC822
email address for the smime policy. For
backward compatibility, if the -n option is
provided without an argument, it will be
interpreted as equivalent to -N.
-N Avoid searching any keychains.
-L Use local certificates only. If an issuing
CA certificate is missing, this option will
avoid accessing the network to fetch it.
-l Specifies that the leaf certificate is a CA
cert. By default, a leaf certificate with a
Basic Constraints extension with the CA bit
set fails verification.
-e emailAddress
Specify email address for the smime policy.
(This option is deprecated; use -n
instead.)
-s sslHost Specify SSL host name for the ssl policy.
(This option is deprecated; use -n
instead.)
-q Quiet, no stdout or stderr.
-R revCheckOption
Specify a revocation checking option for
this evaluation (ocsp, require, offline).
Can be specified multiple times; e.g. to
enable revocation checking via the OCSP
method and require a positive response, use
"-R ocsp -R require". The offline option
will consult previously cached responses,
but will not make a request to a revocation
server.
-P Output the constructed certificate chain in
PEM format.
-t Output certificate contents as text.
-v Specify verbose output, including per-
certificate trust results.
Examples
security> verify-cert -c applestore0.cer -c applestore1.cer
-p ssl -n store.apple.com
security> verify-cert -r serverbasic.crt
security> verify-cert -v https://www.apple.com
authorize [-updPiew] [right...] Authorize requested right(s). The
extend-rights flag will be passed by default.
Options:
-u Allow user interaction.
-p Allow returning partial rights.
-d Destroy acquired rights.
-P Pre-authorize rights only.
-l Operate authorization in least privileged
mode.
-i Internalize authref passed on stdin.
-e Externalize authref to stdout
-w Wait while holding AuthorizationRef until
stdout is closed. This will allow client to
read externalized AuthorizationRef from
pipe.
Examples
security> security authorize -ud my-right
Basic authorization of my-right.
security> security -q authorize -uew my-right | security -q
authorize -i my-right
Authorizing a right and passing it to another
command as a way to add authorization to shell
scripts.
authorizationdb read <right-name>
authorizationdb write <right-name> [allow|deny|<rulename>]
authorizationdb remove <right-name> Read/Modify authorization
policy database. Without a rulename write will read a dictionary
as a plist from stdin.
Examples
security> security authorizationdb read
system.privilege.admin > /tmp/aewp-def
Read definition of system.privilege.admin right.
security> security authorizationdb write system.preferences
< /tmp/aewp-def
Set system.preferences to definition of
system.privilege.admin right.
security> security authorizationdb write system.preferences
authenticate-admin
Every change to preferences requires an Admin user
to authenticate.
execute-with-privileges <program> [args...] Execute tool with
privileges. On success stdin will be read and forwarded to the
tool.
leaks [-h] [-cycles] [-nocontext] [-nostacks] [-exclude symbol]
Run /usr/bin/leaks on this process. This can help find memory
leaks after running certain commands.
Options:
-cycles Use a stricter algorithm (See leaks(1) for
details).
-nocontext Withhold the hex dumps of the leaked
memory.
-nostacks Don't show stack traces of leaked memory.
-exclude symbol
Ignore leaks called from symbol.
smartcards token [-l] [-e token] [-d token] Enable, disable or
list disabled smartcard tokens.
Options:
-l List disabled smartcard tokens.
-e token Enable smartcard token.
-d token Disable smartcard token.
To list tokens available in the system
pluginkit -m -p com.apple.ctk-tokens
Examples
security smartcards token -l
security smartcards token -d
com.apple.CryptoTokenKit.pivtoken
security smartcards token -e
com.apple.CryptoTokenKit.pivtoken
list-smartcards Display ids of available smartcards.
export-smartcard token [-i id] [-t certs|privKeys|identities|all]
[-e exportPath] Export/display items from a smartcard. If id isn't
provided, items from all smartcards will be displayed.
Options:
-i id Export/display items from token specified
by token id, available ids can be listed by
list-smartcards command.
-t certs|privKeys|identities|all
Display items of the specified type
(Default: all)
-e exportPath Specify path to export certificates and
public keys. If exportPath
is specified screen output is suppressed.
This option cannot be combined with -t
option.
error [-h] [<error code(s)...>] Display an error string for the
given security-related error code. The error can be in decimal or
hex, e.g. 1234 or 0x1234. Multiple errors can be separated by
spaces.
ENVIRONMENT
MallocStackLogging
When using the leaks command or the -l option it's probably a
good idea to set this environment variable before security is
started. Doing so will allow leaks to display symbolic
backtraces.
FILES
~/Library/Preferences/com.apple.security.plist
Property list file containing the current user's default
keychain and keychain search list.
/Library/Preferences/com.apple.security.plist
Property list file containing the system default keychain and
keychain search list. This is used by processes started at boot
time, or those requesting to use the system search domain, such
as system daemons.
/Library/Preferences/com.apple.security-common.plist
Property list file containing the common keychain search list,
which is appended to every user's search list and to the system
search list.
SEE ALSO
certtool(1), leaks(1), pluginkit(8)
HISTORY
security was first introduced in Mac OS X version 10.3.
BUGS
security still needs more commands before it can be considered complete.
In particular, it should someday supersede both the certtool and
systemkeychain commands.
Darwin March 15, 2017 Darwin
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment