Launchd not able to access Mac OS keychains

A

2

5

I have a python script which I am executing through a shell script for some reason(not important here). In my script I am basically fetching some url content and sending emails to a specific people.I have added the security keychain for that using something like this security add-generic-password -s SMTP -a USERID -w PASSWORD

When run from the command line I was prompted to give access to the keychain item for the 'security' command. After granting access via Keychain Access I can run the script and it no longer prompts for the retrieval of the password and it does send me emails.

But Cron Job and Launchd doesn't give me the desired output. After googling a bit I found that cronjob doesn't have access to keychains and I need to give the password while running as a cron job if I want it to serve the purpose. I am not very sure about launchd if it has access to keychains or not. It seems to have worked for the below person for Ruby. https://lists.macosforge.org/pipermail/launchd-dev/2008-August/000363.html

I have same problem as that guy did. When invoked from launchctl I do not get any emails. However if I hardcode the passwords in my code I do get the emails at the specified time. So I am assuming that my problem here is the keychains that launchd is not able to read. Is there a way to grant access of keychains to the launchd? I have my com.Query.plist file in the $HOME/Library/LaunchAgents directory.

Appointed answered 30/11, 2017 at 21:35 Comment(0)

E

13

I ran into this today too.

It seems to be not well documented, but if you add the following to your plist your application will be able to see the user keychains when running as a LaunchAgent:

<key>SessionCreate</key>
<true/>

Credit to:

Experiment answered 14/3, 2018 at 23:1 Comment(3)

I had to set this to false to use a script that added to my keychain. – Implement 5/3, 2021 at 19:20

This was the piece that I was missing to have the needed Keychain be available BUT ALSO had to do a reboot because a launchctl unload and then launchctl load was not sufficient. A full reboot was needed. – Geosynclinal 6/4, 2022 at 16:12

Wow, thanks a ton! If you use a launchdaemon, this key must be set as true – Stagestruck 18/7 at 14:53

H

1

Just for reference

❯ man launchd.plist
...
     SessionCreate <boolean>
     This key specifies that the job should be spawned into a new security audit session rather than the default session for the context is
     belongs to. See auditon(2) for details.

Setting this key will prevent you from accessing the keychain if you're running a LaunchAgent. Just leave the defaults as-is, and keychain access works out of the box—for LaunchAgents.

Hindbrain answered 20/1, 2022 at 23:4 Comment(0)

Recommended topics

Hot tags