Monday, October 22, 2018

#1 2018-04-10 01:55:22 am

druido
Member
Registered: 2010-09-03
Posts: 102

GUI scripting SecurityAgent on macOS High Sierra

My CSVKeychain script (https://github.com/lifepillar/CSVKeychain) has an issue with SecurityAgent in recent versions of macOS (High Sierra and possibly earlier versions). The following script illustrates the problem:

Applescript:


set theKeychain to "/Users/me/Library/Keychains/test.keychain" -- Change as needed
set thePassword to "test123" -- Change as needed

do shell script ¬
   "security -q dump-keychain -d " & quoted form of POSIX path of the theKeychain & " &>/dev/null" & " &"

delay 2 -- Wait for SecurityAgent to start

repeat
   
   try
       
       tell application "System Events"
           tell process "SecurityAgent"
               set securityWindow to get windows -- returns {} - WHY?
               set value of text field 1 of item 1 of securityWindow to thePassword
               click button "Allow" of window 1
           end tell
       end tell
       
       delay 1 -- Wait for the next SecurityAgent process
       
   on error
       
       try -- to wait a bit if security is still running
           
           do shell script "ps -x -o comm | grep ^security$" -- Exit code 1 if grep fails to match
           delay 1
           
       on error
           exit repeat
       end try
   end try
end repeat

When I run this script, SecurityAgent's dialog pops up asking for a password to unlock a keychain item, but the script does not get any windows (you get a better feeling of what's happening if you keep an eye on Script Editor's Events tab). I need to click on the dialog (and sometimes drag it a bit) to have the script get Security Agent's window. Then the script can set the password and press the button.

Do you have any idea how this can be fixed?

Offline

 

#2 2018-04-11 08:59:53 am

t.spoon
Member
From:: BFE, Massachusetts
Registered: 2013-01-13
Posts: 315

Re: GUI scripting SecurityAgent on macOS High Sierra

I changed the path for "theKeychain" to a valid keychain on my computer.

I take it that the terminal line
"security -q dump-keychain -d " & quoted form of POSIX path of the theKeychain & " &>/dev/null" & " &"
Is supposed to make a pop-up window asking for my password, but I'm not getting that, so I'm flying blind here trying to help.

I've noticed that for some applications but not others, Applescript can not read their UI elements at all unless the application is in the foreground. Presumably the dialog asking for the password does pop up in front so this isn't the problem, but it might be worth looking at.

When I write something along these lines, I do it like this:

Applescript:


set theKeychain to "/Users/me/Library/Keychains/test.keychain" -- Change as needed
set thePassword to "test123" -- Change as needed

do shell script ¬
   "security -q dump-keychain -d " & quoted form of POSIX path of the theKeychain & " &>/dev/null" & " &"

set repeatCount to 0
repeat
   set repeatCount to repeatCount + 1
   if repeatCount > 10 then
       display dialog "The script did not complete because it was unable to detect a login window that should have opened." buttons {"Cancel"} default button "Cancel"
   else
       try
           tell application "System Events"
               tell process "SecurityAgent"
                   set frontmost to true
                   delay 0.5
                   set securityWindow to get windows
                   set value of text field 1 of item 1 of securityWindow to thePassword
                   click button "Allow" of window 1
                   exit repeat
               end tell
           end tell
       end try
       delay 1
   end if
end repeat


Hackintosh built February, 2012 |  Mac OS Sierra
GIGABYTE GA-Z68X-UD3H-B3 | Core i5 2500k | 16 GB DDR3 | GIGABYTE Geforce 1050 TI 4GB
250 GB Samsung 850 EVO | 4 TB RAID
Dell Ultrasharp U3011 | Dell Ultrasharp 2007FPb

Offline

 

#3 2018-04-11 11:17:04 am

druido
Member
Registered: 2010-09-03
Posts: 102

Re: GUI scripting SecurityAgent on macOS High Sierra

Try this: open Keychain.app, select one item, then go to File > Get Info > Access Control and check “Confirm before allowing access”. Repeat with other items if you like. Then, lock the keychain. Finally, launch my script.

I've tried setting frontmost to true, but that does not seem to help.

Offline

 

#4 2018-04-11 11:38:52 am

druido
Member
Registered: 2010-09-03
Posts: 102

Re: GUI scripting SecurityAgent on macOS High Sierra

In fact, you don't need to lock your keychain. If you do, you'll get first the dialog to unlock the keychain (which has an OK button instead of Allow): just enter your password and press OK (the script won't insert the password anyway, unless you click on the dialog or drag it a bit).

Offline

 

#5 2018-04-11 02:19:31 pm

t.spoon
Member
From:: BFE, Massachusetts
Registered: 2013-01-13
Posts: 315

Re: GUI scripting SecurityAgent on macOS High Sierra

I checked several items in the keychain in question, but they already all had “Confirm before allowing access” checked. I tried locking the keychain. I still never see a dialog.

I tried running the command from the terminal without sending the output to null and I still don't get a password prompt or any output. I'm not familiar with the shell "security" command, so I have no idea what the expected behavior is here.

I've been doing a lot of UI scripting lately, so thought I'd take a look. But it's hard for me to help troubleshoot without being able to get the window you're trying to UI script up on my computer.

- Tom.


Hackintosh built February, 2012 |  Mac OS Sierra
GIGABYTE GA-Z68X-UD3H-B3 | Core i5 2500k | 16 GB DDR3 | GIGABYTE Geforce 1050 TI 4GB
250 GB Samsung 850 EVO | 4 TB RAID
Dell Ultrasharp U3011 | Dell Ultrasharp 2007FPb

Offline

 

#6 2018-04-13 07:02:09 am

druido
Member
Registered: 2010-09-03
Posts: 102

Re: GUI scripting SecurityAgent on macOS High Sierra

The only thing that comes to my mind is that you have security white-listed. Does it appear under “Always allow access by these applications” in the Access Control tab of your keychains items?

If you run

security dump-keychain -d ~/Library/Keychains/SOME_KEYCHAIN

a dialog must appear if the keychain is locked, because -d asks to print all the passwords in clear. If that doesn't happen, either the keychain is already open (in Keychain.app) or maybe macOS caches the password for some time. You may try

security lock-keychain -a

to lock all keychains before executing the command above.

Edit: fixed typos.

Last edited by druido (2018-04-13 07:03:41 am)

Offline

 

#7 2018-06-11 12:43:14 am

druido
Member
Registered: 2010-09-03
Posts: 102

Re: GUI scripting SecurityAgent on macOS High Sierra

Someone pointed me to this GitHub thread: https://gist.github.com/rmondello/b9332 … nt-2272755, which seems to help here.

Offline

 

Board footer

Powered by FluxBB

RSS (new topics) RSS (active topics)