Check Your Keychain

October 30th, 2007

If you, like me, have essentially kept a single keychain from the dawn of time, there’s a feature in the Keychain Access application you need to know about: “Keychain First Aid.”

You find it under the Keychain Access menu, just below Preferences. Whenever I see anything unusual happening with my keychain, I try to remember to hop into Keychain Access and re-run this. Putting aside the question of why my keychain is allowed to get so routinely screwed up that it requires “first aid,” let me say that I appreciate this repair functionality because it generally solves problems quickly and effectively.

Starting with Leopard 10.5, I saw some really strange behavior. Sometimes keychain seemed to contain my web passwords, for instance, and sometimes not. I hopped into Keychain Access and did the first first aid dance. Whoah, mega-red warnings. The first thing that stood out for me is that I somehow had come into a situation where I have two keychains named “daniel”, each configured as part of my keychain search list.

It turns out that in my ~/Library/Keychains folder there exist two keychain files, but one of them contains the “.keychain” extension, while the other does not. I suspect what happened is at some point (in 10.5?) Apple decided to require that keychains have this file extension, so they quietly upgraded my existing keychain without removing the original. This explains my feeling that keychain was mysteriously showing duplicates for many keychain items!

What’s really mysterious though is the way it continued to access both keychains, apparently sometimes choosing from one and sometimes from the other. It made me wonder which was most up to date, but I couldn’t really guess since each had recent modified dates. I picked one and moved the other to the side as a “backup.” Now I’ve got a single “daniel” keychain, and everything should be fine. If I find myself missing a password, I’ll have to rename the backup to “bogus” or something, import it to Keychain Access, and search it for the password to copy over into the one-true-keychain.

(Note: Unless you’re a really old-timer like me, chances are your “daniel” keychain is called “login”. It’s probably wisest to keep it this way, because Apple’s First Aid also seems to get upset sometimes if there isn’t a keychain in the search list with that name. I stubbornly refuse to change, for now.)

8 Responses to “Check Your Keychain”

  1. Robert 'Groby' Blum Says:

    Hey, thanks for listing this. I already followed Apple’s TN on Keychain/Leopard, but this solves a few more problems.

    There are still certificate issues, but it’s getting closer. I guess this is one of the reasons why the poor bugreport site is crashing all the time, too – too many bugs in Leopard.

  2. Grady Haynes Says:

    My Leopard install experience was marred by my user account having its administrative privileges removed (fortunately another users account on the machine still was an administrator) and its keychain, which formally was named the same as my user account, seemingly renamed to “login” and made undefault.

    No major issues since discovering and fixing these two, so I’m happy, but many people would have found themselves stuck.

  3. Grady Haynes Says:

    Oh yeah, meant to say that I’ve been a fairly heavy Keychain user since at least the days of 10.1 and I’ve never had corruption at all. Just ran First Aid and it didn’t find anything wrong. I wonder what’s messing yours up.

  4. Mike Says:

    Thanks for this, Daniel – I haven’t run this in a while, and it did find errors when I actually checked. I wish it was easier to manage keychains…particularly, importing and exporting.

  5. Scott Fannen Says:

    I had the same thing – I had some problem where it couldn’t save to keychain so I went in there and had the same things – it took a few “first aids” to make it happy though.

    Complete with the old timer keychain, the missing suffix and so forth :)

  6. Ash Ponders Says:

    mine is called “butterfly” even though that hasn’t been my username for ages.
    Can I just rename it?

  7. Daniel Jalkut Says:

    Ash: In my experience the safest way is:

    1. Duplicate the existing Keychain item in the Finder and rename the copy
    2. Double click it to open/import into Keychain access
    3. Make the duplicate the new “default” item (it becomes bold)
    4. Delete the old keychain from Keychain access

    Make mondo backups of all your keychains before doing anything, of course.

  8. Geoff Hutchison Says:

    Daniel,

    I experienced this bug during the Leopard seeds and reported it, along with my analysis and a workaround (as you describe above). I’m saddened that it didn’t get fixed before the release.

    In my case, Keychain couldn’t even access the “login.keychain” version which Leopard installed. So I immediately knew something was wrong.

    I’m wondering if it only affects those of us who used 10.0, considering the comments in this thread?

Comments are Closed.

Follow the Conversation

Stay up-to-date by subscribing to the Comments RSS Feed for this entry.