Add a keychain to search list?

问题

I need to add a .keychain file to my keychains search list for some automated build tools. Currently I'm using security list-keychains command:

list-keychains [-h] [-d user|system|common|dynamic] [-s [keychain...]]
        Display or manipulate the keychain search list.

This command let's you set the entire keychain search list, but it does not provide a way to simply add another keychain. So adding a keychain becomes a 2 step process.

1. Run list-keychains and parse the output
2. Then do something like list-keychains -s ${existing_chains} ${new_keychain}

While this works, it seems overly complicated and introduces a race condition.

Also it seems like open my.keychain will add it to the search list, but I tend to avoid using commands like open in scripting or headless environments.

Is there a simpler or better way to add a keychain to the search list?

回答1:

It's 2017 and on macos 10.12.4 security create-keychain still does not add a new keychain to the search list. Here's my script to add and destroy temporary keychains step by step:

#!/bin/bash -e

uuid="$(uuidgen)"

echo "New Keychain name: $uuid"

keychains=$(security list-keychains -d user)

keychainNames=();

for keychain in $keychains
do
  basename=$(basename "$keychain")
  keychainName=${basename::${#basename}-4}
  keychainNames+=("$keychainName")
done

echo "User keychains on this machine: ${keychainNames[@]}";




read -p "Enter to create keychain"
security -v create-keychain -p test123 $uuid

read -p "Enter to add keychain to searchlist"
security -v list-keychains -s "${keychainNames[@]}" $uuid

read -p "Enter to unlock keychain"
security -v unlock-keychain -p test123 $uuid

read -p "Enter to import certificate"
security -v import build-assets/certficate.p12 -k $uuid -P certificate_password

read -p "Enter to delete keychain"
security -v delete-keychain $uuid

回答2:

Which automated tools are you using? I had a similar problem with building for iPhone using Jenkins under tomcat. I tried adding keychains in the shell script but it proved very flakey at best.

In the end, I worked around the problem by switching our build process to be running via LaunchAgents instead of LaunchDemons. This way the build tools run in the user context and things have become lot more reliable.

Is this a possibility for you? If so, I can provide more detail.

回答3:

A one line version of @mles solution above:

security list-keychains -d user -s $(security list-keychains -d user | sed -e s/\"//g) <new keychain>

The issue with directly piping in the output of security list-keychains -d user is it surrounds the results with quotes. Solution uses sed to strip them out.

回答4:

There is NOT a better way that I'm aware of - however it appears that maybe create-keychain will do what you want:

security create-keychain -h

returns:

Usage: create-keychain [-P] [-p password] [keychains...]
    -p  Use "password" as the password for the keychains being created
    -P  Prompt the user for a password using the SecurityAgent
Use of the -p option is insecure
        Create keychains and add them to the search list.

来源：https://stackoverflow.com/questions/10538942/add-a-keychain-to-search-list