Created: 2008-11-08 12:33
Updated: 2018-06-21 20:57


The idea behind keychain_access is to provide Keychain features in the command line. Apple's security(1) command does already some of this work. Unfortunately there is no convenient way to to access public/private key pairs stored in the Keychain via security(1).

This is why I wrote keychain_access. I wanted to use private keys stored in my keychain in command-line scripts. This is helpful for signing files for Sparkles appcast without having to type my password all the time, while at the same time not having to worry that my private key is stored in plaintext on my harddrive.


$ keychain_access -h
Usage: keychain_access [-vh] [-p <password>] <key_name>
  -p <password>   Encrypt exported private keys with <password>.
                  The default is to export them without a password.
  -h              Show this information.
  -v              Print current version number.
  <key_name>      The name of the keychain item you want to access.
                  Has to be a public or private key.

If you want to pass a key from the Keychain to an openssl command without the key touching the harddrive, use a named pipe. This is how I use keychain_access to sign Sparkle updates:

mkfifo -m 0600 "$PIPE"
keychain_access name.of.the.private.key > "$PIPE" &

SIG=`openssl dgst -sha1 -binary < "$OUTPUT_DIR/$VOL.dmg" | openssl dgst -dss1 -sign "$PIPE" | openssl enc -base64`

rm "$PIPE"


Type make and then copy the executable named "keychain_access" to wherever you like in your $PATH.


MIT, see keychain_access.c.


Torsten Becker <torsten dot becker at gmail dot com>

Cookies help us deliver our services. By using our services, you agree to our use of cookies Learn more