security(1) | General Commands Manual | security(1) |
security
— Command
line interface to keychains and Security framework
security |
[-hilqv ] [-p
prompt] [command]
[command_options]
[command_args] |
A simple command line interface which lets you administer keychains, manipulate keys and certificates, and do just about anything the Security framework is capable of from the command line.
By default security
will execute the
command supplied and report if anything went
wrong.
If the -i
or -p
options are provided, security
will enter
interactive mode and allow the user to enter multiple commands on stdin.
When EOF is read from stdin security
will exit.
Here is a complete list of the options available:
-h
help
command.-i
security
in interactive mode. A prompt
(security>
by default) will be displayed and
the user will be able to type commands on stdin until an EOF is
encountered.-l
security
exits, run
/usr/bin/leaks
-nocontext
-p
prompt-i
option but changes the
default prompt to the argument specified instead.-q
security
less verbose.-v
security
more verbose.security
provides a rich variety of
commands (command in the
SYNOPSIS), each of which often has a
wealth of options, to allow access to the broad functionality provided by
the Security framework. However, you don't have to master every detail for
security
to be useful to you.
Here are brief descriptions of all the
security
commands:
help
list-keychains
default-keychain
login-keychain
create-keychain
delete-keychain
lock-keychain
unlock-keychain
set-keychain-settings
set-keychain-password
show-keychain-info
dump-keychain
create-keypair
add-generic-password
add-internet-password
add-certificates
find-generic-password
delete-generic-password
set-generic-password-partition-list
find-internet-password
delete-internet-password
set-internet-password-partition-list
find-key
set-key-partition-list
find-certificate
find-identity
delete-certificate
delete-identity
set-identity-preference
get-identity-preference
create-db
export
import
cms
install-mds
add-trusted-cert
remove-trusted-cert
dump-trust-settings
user-trust-settings-enable
trust-settings-export
trust-settings-import
verify-cert
authorize
authorizationdb
execute-with-privileges
leaks
smartcards
list-smartcards
export-smartcard
error
This section describes the command_options
that are available across all security
commands.
-h
Here (finally) are details on all the
security
commands and the options each accepts.
help
[-h
] Show all
commands, or show usage for a command.
list-keychains
[-h
]
[-d
user|system|common|dynamic]
[-s
[keychain...]] Display
or manipulate the keychain search list.
default-keychain
[-h
]
[-d
user|system|common|dynamic]
[-s
[keychain]] Display or
set the default keychain.
login-keychain
[-h
]
[-d
user|system|common|dynamic]
[-s
[keychain]] Display or
set the login keychain.
create-keychain
[-hP
]
[-p
password]
[keychain...] Create keychains.
delete-keychain
[-h
]
[keychain...] Delete keychains and remove them from
the search list.
lock-keychain
[-h
]
[-a
|keychain] Lock
keychain, or the default keychain if none is
specified. If the -a
option is specified, all
keychains are locked.
unlock-keychain
[-hu
]
[-p
password]
[keychain] Unlock keychain, or
the default keychain if none is specified.
set-keychain-settings
[-hlu
] [-t
timeout] [keychain] Set
settings for keychain, or the default keychain if
none is specified.
set-keychain-password
[-h
]
[-o
oldPassword]
[-p
newPassword]
[keychain] Set password for
keychain, or the default keychain if none is
specified.
show-keychain-info
[-h
]
[keychain] Show the settings for
keychain.
dump-keychain
[-adhir
]
Dump the contents of one or more keychains.
create-keypair
[-h
]
[-a
alg]
[-s
size]
[-f
date]
[-t
date]
[-d
days]
[-k
keychain]
[-A
|-T
appPath] [name] Create an
asymmetric key pair.
-a
alg-s
size-f
date-t
date-d
days-k
keychain-A
-T
appPath-T
options are allowed)add-generic-password
[-h
]
[-a
account]
[-s
service]
[-w
password]
[options...] [keychain] Add a
generic password item.
-a
account-c
creator-C
type-D
kind-G
value-j
comment-l
label-s
service-p
password-w
)-w
password-A
-T
appPath-T
options are allowed)-U
-X
password-T
"". If no keychain is specified,
the password is added to the default keychain.
add-internet-password
[-h
]
[-a
account]
[-s
server]
[-w
password]
[options...] [keychain] Add an
internet password item.
-a
account-c
creator-C
type-d
domain-D
kind-j
comment-l
label-p
path-P
port-r
protocol-s
server-t
authenticationType-w
password-A
-T
appPath-T
options are allowed)-U
-X
password-T
"". If no keychain is specified,
the password is added to the default keychain.
add-certificates
[-h
]
[-k
keychain]
file... Add certficates contained in the specified
files to the default keychain. The files must
contain one DER encoded X509 certificate each.
-k
keychainfind-generic-password
[-h
]
[-a
account]
[-s
service]
[-
options...]
[-g
]
[-
keychain...] Find a
generic password item.
-a
account-c
creator-C
type-D
kind-G
value-j
comment-l
label-s
service-g
-w
delete-generic-password
[-h
] [-a
account] [-s
service]
[-
options...]
[-
keychain...] Delete a
generic password item.
delete-internet-password
[-h
] [-a
account] [-s
server] [options...]
[keychain...] Delete an internet password item.
-a
account-c
creator-C
type-d
securityDomain-D
kind-j
comment-l
label-p
path-P
port-r
protocol-s
server-t
authenticationTypefind-internet-password
[-h
] [-a
account] [-s
server] [options...]
[-g
] [keychain...] Find an
internet password item.
-a
account-c
creator-C
type-d
securityDomain-D
kind-j
comment-l
label-p
path-P
port-r
protocol-s
server-t
authenticationType-g
-w
find-key
[options...]
[keychain...] Search the keychain for keys.
-a
application-label-c
creator-d
-D
description-e
-j
comment-l
label-r
-s
-t
type-u
-v
-w
set-generic-password-partition-list
[-a
account]
[-s
service]
[-S
<partition list (comma
separated)>] [-k
<keychain password>]
[options...] [keychain] Sets
the "partition list" for a generic password. The "partition
list" is an extra parameter in the ACL which limits access to the
item based on an application's code signature. You must present the
keychain's password to change a partition list.
-S
partition-list-k
password-a
account-c
creator-C
type-D
kind-G
value-j
comment-l
label-s
serviceset-internet-password-partition-list
[-a
account]
[-s
server]
[-S
<partition list (comma
separated)>] [-k
<keychain password>]
[options...] [keychain] Sets
the "partition list" for an internet password. The
"partition list" is an extra parameter in the ACL which limits
access to the item based on an application's code signature. You must
present the keychain's password to change a partition list.
-S
partition-list-k
password-a
account-c
creator-C
type-d
securityDomain-D
kind-j
comment-l
label-p
path-P
port-r
protocol-s
server-t
authenticationTypeset-key-partition-list
[-S
<partition list (comma separated)>]
[-k
<keychain
password>] [options...]
[keychain] Sets the "partition list" for a
key. The "partition list" is an extra parameter in the ACL which
limits access to the key based on an application's code signature. You
must present the keychain's password to change a partition list. If you'd
like to run /usr/bin/codesign with the key, "apple:" must be an
element of the partition list.
-S
partition-list-k
password-a
application-label-c
creator-d
-D
description-e
-j
comment-l
label-r
-s
-t
type-u
-v
-w
find-certificate
[-h
]
[-a
] [-c
name] [-e
emailAddress] [-m
]
[-p
] [-Z
]
[keychain...] Find a certificate item. If no
keychain arguments are provided, the default search
list is used.
-a
-c
name-e
emailAddress-m
-p
-Z
find-identity
[-h
]
[-p
policy]
[-s
string]
[-v
] [keychain...] Find an
identity (certificate + private key) satisfying a given policy. If no
policy arguments are provided, the X.509 basic
policy is assumed. If no keychain arguments are
provided, the default search list is used.
-p
policy-s
string-v
delete-certificate
[-h
]
[-c
name]
[-Z
hash]
[-t
] [keychain...] Delete a
certificate from a keychain. If no keychain
arguments are provided, the default search list is used.
delete-identity
[-h
]
[-c
name]
[-Z
hash]
[-t
] [keychain...] Delete a
certificate and its private key from a keychain. If no
keychain arguments are provided, the default search
list is used.
set-identity-preference
[-h
] [-n
]
[-c
identity]
[-s
service]
[-u
keyUsage]
[-Z
hash]
[keychain...] Set the preferred identity to use for
a service.
-n
-c
identity-s
service-u
keyUsage-Z
hashget-identity-preference
[-h
] [-s
service] [-u
keyUsage] [-p
]
[-c
] [-Z
] Get the
preferred identity to use for a service.
-s
service-u
keyUsage-p
-c
-Z
create-db
[-aho0
]
[-g
dl|cspdl]
[-m
mode]
[name] Create a db using the DL. If
name isn't provided security
will prompt the user to type a name.
export
[-k
keychain] [-t
type] [-f
format] [-w
]
[-p
format]
[-P
passphrase]
[-o
outfile] Export one or
more items from a keychain to one of a number of external representations.
If keychain isn't provided, items will be exported
from the user's default keychain.
-k
keychain-t
type-f
format-w
-p
-P
passphrase-o
outfileimport
inputfile [-k
keychain] [-t
type] [-f
format] [-w
]
[-P
passphrase]
[options...] Import one or more items from
inputfile into a keychain. If
keychain isn't provided, items will be imported into
the user's default keychain.
-k
keychain-t
type-f
format-w
-x
-P
passphrase-a
attrName attrValue-A
-T
appPath-T
options are allowed)cms
[-C
|-D
|-E
|-S
]
[options...] Encode or decode CMS messages.
-C
-D
-E
-S
-r
id,...-G
-H
hash-N
nick-P
-T
-Y
nick-Z
hash-e
envelope-D
or
-E
)-k
keychain-i
infile-o
outfile-p
password-s
-u
certusage-v
install-mds
Install (or re-install) the Module
Directory Services (MDS) database. This is a system tool which is not
normally used by users. There are no options.
add-trusted-cert
[-d
]
[-r
resultType]
[-p
policy]
[-a
appPath]
[-s
policyString]
[-e
allowedError]
[-u
keyUsage]
[-k
keychain]
[-i
settingsFileIn]
[-o
settingsFileOut]
certFile Add certificate (in DER or PEM format) from
certFile to per-user or local Admin Trust Settings.
When modifying per-user Trust Settings, user authentication is required
via an authentication dialog. When modifying admin Trust Settings, the
process must be running as root, or admin authentication is required.
-d
-r
resultType-p
policy-a
appPath-s
policyString-e
allowedError-u
keyUsage-k
keychain-i
settingsFileIn-o
settingsFileOutsecurity> add-trusted-cert
/tmp/cert.der
security> add-trusted-cert
-d .tmp/cert.der
remove-trusted-cert
[-d
] certFile Remove certificate (in DER or
PEM format) in certFile from per-user or local
Admin Trust Settings. When modifying per-user Trust Settings, user
authentication is required via an authentication dialog. When
modifying admin Trust Settings, the process must be running as root,
or admin authentication is required.
-d
dump-trust-settings
[-s
] [-d
] Display
Trust Settings.
user-trust-settings-enable
[-d
] [-e
] Display or
manipulate user-level Trust Settings. With no arguments, shows the
current state of the user-level Trust Settings enable. Otherwise
enables or disables user-level Trust Settings.
trust-settings-export
[-s
] [-d
]
settings_file Export Trust Settings to the specified file.
trust-settings-import
[-d
] settings_file Import Trust Settings from
the specified file. When modifying per-user Trust Settings, user
authentication is required via an authentication dialog. When
modifying admin Trust Settings, the process must be running as root,
or admin authentication is required.
-d
verify-cert
[-c
certFile] [-r
rootCertFile] [-p
policy] [-C
]
[-d
date]
[-k
keychain]
[-n
name]
[-N
] [-L
]
[-l
] [-e
emailAddress] [-s
sslHost] [-q
]
[-R
revCheckOption]
[-P
] [-t
]
[-v
] [url] Verify one or
more certificates. If a direct URL argument is provided, a TLS
connection is attempted and the certificate presented by that server
is evaluated according to standard SSL server policy; other
certificates or policy options will be ignored in this case.
-c
certFile-r
rootCertFile-p
policy-C
-d
date-k
keychain-n
name-N
-L
-l
-e
emailAddress-s
sslHost-q
-R
revCheckOption-P
-t
-v
authorize
[-updPiew
]
[right...] Authorize requested right(s). The
extend-rights flag will be passed by default.
-u
-p
-d
-P
-l
-i
-e
-w
authorizationdb
read
<right-name>authorizationdb
write
<right-name> [allow|deny|<rulename>]authorizationdb
remove
<right-name> Read/Modify authorization policy database.
Without a rulename write will read a dictionary as a plist from stdin.
execute-with-privileges
<program> [args...]
Execute tool with privileges. On success stdin will be read and
forwarded to the tool.
leaks
[-h
]
[-cycles
] [-nocontext
]
[-nostacks
] [-exclude
symbol] Run
/usr/bin/leaks
on this process. This can help
find memory leaks after running certain commands.
-cycles
-nocontext
-nostacks
-exclude
symbolsmartcards
token
[-l
] [-e
token] [-d
token] Enable, disable or list disabled
smartcard tokens.
list-smartcards
Display
ids of available smartcards.
export-smartcard
token
[-i
id]
[-t
certs|privKeys|identities|all]
[-e
exportPath]
Export/display items from a smartcard. If id
isn't provided, items from all smartcards will be displayed.
-i
id-t
certs|privKeys|identities|all-e
exportPatherror
[-h
]
[<error code(s)...>] Display an error
string for the given security-related error code. The error can be in
decimal or hex, e.g. 1234 or 0x1234. Multiple errors can be separated
by spaces.
MallocStackLogging
leaks
command or the
-l
option it's probably a good idea to set this
environment variable before security
is started.
Doing so will allow leaks to display symbolic backtraces.Property list file containing the current user's default keychain and keychain search list.
Property list file containing the system default keychain and keychain search list. This is used by processes started at boot time, or those requesting to use the system search domain, such as system daemons.
Property list file containing the common keychain search list, which is appended to every user's search list and to the system search list.
security
was first introduced in Mac OS X
version 10.3.
security
still needs more commands before
it can be considered complete. In particular, it should someday supersede
both the certtool
and
systemkeychain
commands.
March 15, 2017 | Darwin |