Scripting Keychain First Aid

brussell
New Contributor III

Can anybody offer any insight as to how to go about scripting Keychain First Aid? I would like to add it as a Self Service Policy to repair keychain issues. Thanks!

1 ACCEPTED SOLUTION

krichterjr
Contributor

They may or may not help.

Here is an Apple Script that opens KeyChain Access and then KeyChain First Aid. The catch is Apple Script needs to be enabled for Assistive Devices. See more here https://jamfnation.jamfsoftware.com/discussion.html?id=9176#responseChild49975

tell application "Keychain Access" to activate
tell application "System Events"
    tell process "Keychain Access"
        click menu item "Keychain First Aid" of menu "Keychain Access" of menu bar 1
    end tell
end tell

View solution in original post

14 REPLIES 14

mm2270
Legendary Contributor II

Not clear if there's a way to really "script" Keychain First Aid. It seems to be an embedded part of Keychain Access, not a separate app unto itself. You may be able to do something like this-

tell application "System Events"
    tell application "Keychain Access" to activate
    keystroke "a" using {command down, option down}
end tell

Only issue may be when running as a policy I don't know if it will correctly identify the current user, since it displays the logged in user's name and a password field when that comes up. You might need to put that code into a HEREDOC block and call it as the logged in user. Not really sure.

I also took a quick peek at the man page for "security" and I don't see anything about doing verify's or repairs on keychains. So it seems to be a GUI related function only from what I can tell.

krichterjr
Contributor

They may or may not help.

Here is an Apple Script that opens KeyChain Access and then KeyChain First Aid. The catch is Apple Script needs to be enabled for Assistive Devices. See more here https://jamfnation.jamfsoftware.com/discussion.html?id=9176#responseChild49975

tell application "Keychain Access" to activate
tell application "System Events"
    tell process "Keychain Access"
        click menu item "Keychain First Aid" of menu "Keychain Access" of menu bar 1
    end tell
end tell

View solution in original post

Matt
Valued Contributor

I'm just commenting on the Ferret.

Its bossy.

Matt
Valued Contributor

I just looked through some terminal commands and none of them seem to coincide with Keychain so you might be stuck to Applescripting.

brussell
New Contributor III

@mattlee, yes, ferrets rock. Thank you all for the help. I will have to go the applescript route.

acdesigntech
Contributor II

Keychain first aid only helps with the password for the keychain itself. It doesn't do anything for items inside the keychain.

rcorbin
Contributor II

Didn't @Andrina show a great example of this at JNUC this year. I think she published the script somewhere as well. http://www.youtube.com/watch?v=AzlWdrRc1rY&list=PLlxHm_Px-Ie01lK6FgfdXhk-YuByY6X27&index=15

krichterjr
Contributor

I believe her script deletes the keychain and recreates it.

It too is nice to have available. If not for your users but for L1 techs.

https://github.com/andrina/JNUC2013/blob/master/Users%20Do%20Your%20Job/deleteAndcreateKeychain.sh

sardesm
New Contributor III

Does Andrina's script require a restart after running?

stevewood
Honored Contributor II

@sardesm from what I've seen, yes, for maximum effectiveness a restart is required.

ryan_s
New Contributor II

@krichterjr -- I have read a few of your posts regarding Keychain repair and it's been quite helpful! However, I am currently stuck on how exactly to enable Script Editor for assistive devices. I have tried variations of this:

sqlite3 /Library/Application Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','/Applications/Utilities/Script Editor',1,1,1,NULL)"

But so far I have not had luck (referencing http://work.chrisdietrich.de)...it's going to sound dumb but I don't know how to reference Script Editor in this sqlite logic... there is a com.apple.scripteditor or something that I cannot find?

krichterjr
Contributor

@rseys I haven't touched this since I originally worked on it and I have actually changed jobs since. With that said, I remember having difficulty with this part as well. I think I ended up saving the script as an Application and then added that Application to the Accessibility db instead of just ScriptEditor.

krichterjr
Contributor

@rseys I just tested this out and I believe this should work you. I made a couple of small changes to what you had and this appears to work fine on my machine running 10.10.2. Hope this helps!

sqlite3 /Library/Application Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','com.apple.ScriptEditor2',0,1,1,NULL)"

ryan_s
New Contributor II

Worked like a champ! Thank you sir -- I wasn't quite sure how to find the Bundle Identifier (or that "Bundle Identifier" was what I was looking for specifically embarrassed). I looked at the contents of Script Editor and saw com.apple.scripteditor mentioned and assumed that was it.

Anyway, enjoy the new(?) role @krichterjr! I appreciate the assist