Feature Request: Check 'Local Items Keychain' independently from 'Login Keychain'

[ScarabMonkey]

We have an issue with people who change their password on their mac due to being prompted by the OS. This has the effect of successfully updating their Login Keychain password, but still leaves the Local Items keychain with the old password.

This software appears to be checking the Login keychain and then changing both keychains if they are out-of-sync - thereby assuming that both keychains have the same password. Would it be possible for this, instead, to check each of the keychains separately and set the passwords for those that are actually out-of-sync?

[russellhancox]

Huh, I wouldn't have expected an OS prompt to let the passwords get out-of-sync.

I'm not sure it's possible to check the Local Items keychain separately, Keychain Services handles the Local Items keychain (mostly) transparently; we're not explicitly changing the password for that keychain, for example, it is handled automatically by setting the login keychain password.

We'll do some digging and see if this is possible.

[tburgin]

I don't know of any supported way to verify the Local Items Keychain. It looks like there are some private functions for non on-disk keychains. I will poke around. https://opensource.apple.com/source/libsecurity_keychain/libsecurity_keychain-55050.9/lib/SecKeychain.cpp