How to delete a keychain reference from command line

Asked 28/9, 2016 at 22:43 Answered 13/10, 2018 at 7:11

From the Keychain app I have the option to delete just the reference to a listed Keychain that was unlocked and listed via command line. But from the command line (man security) I don't seem to have this option but to delete the file + reference to this keychain.

How can I just remove a reference to a keychain I unlocked previously from the command line? I want to clean up and remove (unlist?) the keychain again after I performed some operations with it (because it remains visible in the Keychain app if not deleted).

Naught answered 28/9, 2016 at 22:43 Comment(0)

The delete-keychain command-line option to security deletes the keychain file and removes it from the search list of keychains. To just delete the reference of the keychain from the search list use list-keychains -s, rewriting the list while removing the one you want to disappear.

list-keychains vs. delete-keychain

At the command-line the references are handled by list-keychains and the database/keychain-file is handled by delete-keychain.

Usual workflow

# Get a list of user keychains, make a note of the names
security list-keychains -d <user> 

# Create a new keychain
security create-keychain -p <password> MyNew.keychain

# Adjust the 'references' by rewriting the search list
security list-keychains -s MyNew.keychain <space separated list of other keychains>

# Delete the keychain
security delete-keychain MyNew.keychain

Cleanshaven answered 13/10, 2018 at 7:11 Comment(0)

You delete the file directly using rm command. Location will be one of the following depending upon whether the keychain is in system domain or user domain.

System domain keychain location

$ ls -l /Library/Keychains/
total 392
-rw-r--r--  1 root  wheel  20460 Aug 21  2014 ConnectedBackup.keychain
-rw-r--r--  1 root  wheel  23732 Aug 21  2014 FileVaultMaster.keychain
-rw-r--r--  1 root  wheel  89560 Sep 19 21:37 System.keychain
-rw-r--r--  1 root  wheel  20460 Nov 10  2014 System.keychain-orig

User domain keychain location

$ ls -l ~/Library/Keychains/
total 1392
drwx------  8 Kevin  1437522721     272 Jul  1  2015 386EC17D-8428-522E-B9DD-CE89C60F0F10
-rw-r--r--@ 1 Kevin  1437522721   40776 Jan 25  2016 Microsoft_Entity_Certificates
-rw-r--r--@ 1 Kevin  1437522721   34368 Jan 25  2016 Microsoft_Intermediate_Certificates
-rw-r--r--@ 1 Kevin  1437522721  513136 Sep 27 20:05 login.keychain
-rw-------  1 Kevin  1437522721   87552 Sep 28 16:59 metadata.keychain

So if you want to delete login keychain from user domain you would

$ rm -rf ~/Library/Keychains/login.keychain

(Name of the keychain as it appears in the keychain utility is filename without the suffix .keychain)

EDIT

macOS Sierra and above have -db extensions

Adder answered 29/9, 2016 at 5:39 Comment(7)

But i do not want to remove the file, just the reference! – Naught 2/10, 2016 at 22:38

@anubis My assumption is that it is not possible. If you just want to remove reference then move files to some other location of your choice out of /Library/Keychains – Adder 2/10, 2016 at 22:57

@Naught that’s also what I want. Deleting keychain file and copying a new one with updated content (same file name - appstore.keychain) shows old content! That’s why I need a command that will either delete the references or refresh the content from file on disk. If anyone know how this works please tell us. Our iOS build farm of Mac minis is suffering an issue where AppStore keychain downloaded from a secure location is not able to be updated on build machine due to having old cert in keychain. But when I do exact same steps on a different set of Macs the content is updated. – Proximo 27/10, 2017 at 9:22

@PnotNP this did not work in my case. The Keychain Access app was able to delete references and keychain file but deleting file with rm command does not allow me to see new content when a keychain file with the same file and pathname as deleted one (with rm command) is copied into place. It shows in Keychain Access app with old expired cert. But a different Mac shows different results. Our build fleet Macs are on macOS 10.12.6 and fresh reboots daily. If I have to login to perform this action on a farm of 50 Macs to delete keychain in app I will be wasting a significant amount of time. – Proximo 27/10, 2017 at 9:35

@PatrickD "Remove reference" is just Keychain utility's prerogative. On the file system there is no reference but same plain old files. Keychain is keeping the reference. Your problem seems to be somewhere else not in the keychain itself. – Adder 27/10, 2017 at 16:16

@PatrickD deleting with rm command then replacing with new file will not work either, because Keychain utility is smart enough to figure what you just did. Your best bet is to create new keychain or just modify content within the keychain and "refresh your apps" to use new content. – Adder 27/10, 2017 at 16:20

Thanks @PnotNP, there was another file “appstore.keychain-db” which needed to be deleted. Apparently on macOS Sierra this is a new file that didn’t exist in previous versions (El Capitan, Yosemite). Removing that -db file solved my issue! – Proximo 3/11, 2017 at 10:25

list-keychains vs. delete-keychain

Usual workflow

Recommended topics

Hot tags