GUI scripting SecurityAgent on macOS High Sierra

My CSVKeychain script (https://github.com/lifepillar/CSVKeychain) has an issue with SecurityAgent in recent versions of macOS (High Sierra and possibly earlier versions). The following script illustrates the problem:


set theKeychain to "/Users/me/Library/Keychains/test.keychain" -- Change as needed
set thePassword to "test123" -- Change as needed

do shell script ¬
	"security -q dump-keychain -d " & quoted form of POSIX path of the theKeychain & " &>/dev/null" & " &"

delay 2 -- Wait for SecurityAgent to start

repeat
	
	try
		
		tell application "System Events"
			tell process "SecurityAgent"
				set securityWindow to get windows -- returns {} - WHY?
				set value of text field 1 of item 1 of securityWindow to thePassword
				click button "Allow" of window 1
			end tell
		end tell
		
		delay 1 -- Wait for the next SecurityAgent process
		
	on error
		
		try -- to wait a bit if security is still running
			
			do shell script "ps -x -o comm | grep ^security$" -- Exit code 1 if grep fails to match
			delay 1
			
		on error
			exit repeat
		end try
	end try
end repeat

When I run this script, SecurityAgent’s dialog pops up asking for a password to unlock a keychain item, but the script does not get any windows (you get a better feeling of what’s happening if you keep an eye on Script Editor’s Events tab). I need to click on the dialog (and sometimes drag it a bit) to have the script get Security Agent’s window. Then the script can set the password and press the button.

Do you have any idea how this can be fixed?

I changed the path for “theKeychain” to a valid keychain on my computer.

I take it that the terminal line
“security -q dump-keychain -d " & quoted form of POSIX path of the theKeychain & " &>/dev/null” & " &"
Is supposed to make a pop-up window asking for my password, but I’m not getting that, so I’m flying blind here trying to help.

I’ve noticed that for some applications but not others, Applescript can not read their UI elements at all unless the application is in the foreground. Presumably the dialog asking for the password does pop up in front so this isn’t the problem, but it might be worth looking at.

When I write something along these lines, I do it like this:


set theKeychain to "/Users/me/Library/Keychains/test.keychain" -- Change as needed
set thePassword to "test123" -- Change as needed

do shell script ¬
	"security -q dump-keychain -d " & quoted form of POSIX path of the theKeychain & " &>/dev/null" & " &"

set repeatCount to 0
repeat
	set repeatCount to repeatCount + 1
	if repeatCount > 10 then
		display dialog "The script did not complete because it was unable to detect a login window that should have opened." buttons {"Cancel"} default button "Cancel"
	else
		try
			tell application "System Events"
				tell process "SecurityAgent"
					set frontmost to true
					delay 0.5
					set securityWindow to get windows
					set value of text field 1 of item 1 of securityWindow to thePassword
					click button "Allow" of window 1
					exit repeat
				end tell
			end tell
		end try
		delay 1
	end if
end repeat

Try this: open Keychain.app, select one item, then go to File > Get Info > Access Control and check “Confirm before allowing access”. Repeat with other items if you like. Then, lock the keychain. Finally, launch my script.

I’ve tried setting frontmost to true, but that does not seem to help.

In fact, you don’t need to lock your keychain. If you do, you’ll get first the dialog to unlock the keychain (which has an OK button instead of Allow): just enter your password and press OK (the script won’t insert the password anyway, unless you click on the dialog or drag it a bit).

I checked several items in the keychain in question, but they already all had “Confirm before allowing access” checked. I tried locking the keychain. I still never see a dialog.

I tried running the command from the terminal without sending the output to null and I still don’t get a password prompt or any output. I’m not familiar with the shell “security” command, so I have no idea what the expected behavior is here.

I’ve been doing a lot of UI scripting lately, so thought I’d take a look. But it’s hard for me to help troubleshoot without being able to get the window you’re trying to UI script up on my computer.

  • Tom.

The only thing that comes to my mind is that you have security white-listed. Does it appear under “Always allow access by these applications” in the Access Control tab of your keychains items?

If you run
[format]security dump-keychain -d ~/Library/Keychains/SOME_KEYCHAIN[/format]

a dialog must appear if the keychain is locked, because -d asks to print all the passwords in clear. If that doesn’t happen, either the keychain is already open (in Keychain.app) or maybe macOS caches the password for some time. You may try

[format]security lock-keychain -a[/format]

to lock all keychains before executing the command above.

Edit: fixed typos.

Someone pointed me to this GitHub thread: https://gist.github.com/rmondello/b933231b1fcc83a7db0b#gistcomment-2272755, which seems to help here.