security(1) | General Commands Manual | security(1) |
security
— Command
line interface to keychains and Security framework
security |
[-hilqv ] [-p
prompt] [command]
[command_options]
[command_args] |
A simple command line interface which lets you administer keychains, manipulate keys and certificates, and do just about anything the Security framework is capable of from the command line.
By default security
will execute the
command supplied and report if anything went
wrong.
If the -i
or -p
options are provided, security
will enter
interactive mode and allow the user to enter multiple commands on stdin.
When EOF is read from stdin security
will exit.
Here is a complete list of the options available:
-h
help
command.-i
security
in interactive mode. A prompt
(security>
by default) will be displayed and
the user will be able to type commands on stdin until an EOF is
encountered.-l
security
exits, run
/usr/bin/leaks
-nocontext
-p
prompt-i
option but changes the
default prompt to the argument specified instead.-q
security
less verbose.-v
security
more verbose.security
provides a rich variety of
commands (command in the
SYNOPSIS), each of which often has a
wealth of options, to allow access to the broad functionality provided by
the Security framework. However, you don't have to master every detail for
security
to be useful to you.
Here are brief descriptions of all the
security
commands:
help
list-keychains
default-keychain
login-keychain
create-keychain
delete-keychain
lock-keychain
unlock-keychain
set-keychain-settings
set-keychain-password
show-keychain-info
dump-keychain
create-keypair
add-generic-password
add-internet-password
add-certificates
find-generic-password
delete-generic-password
set-generic-password-partition-list
find-internet-password
delete-internet-password
set-internet-password-partition-list
find-key
set-key-partition-list
find-certificate
find-identity
delete-certificate
delete-identity
set-identity-preference
get-identity-preference
create-db
export
import
cms
install-mds
add-trusted-cert
remove-trusted-cert
dump-trust-settings
user-trust-settings-enable
trust-settings-export
trust-settings-import
verify-cert
authorize
authorizationdb
execute-with-privileges
leaks
smartcards
list-smartcards
export-smartcard
error
This section describes the command_options
that are available across most security
commands.
-h
Here (finally) are details on all the
security
commands and the options each accepts.
help
Show all commands, or show usage for a
command.
list-keychains
[-h
]
[-d
user|system|common|dynamic]
[-s
[keychain...]] Display
or manipulate the keychain search list.
default-keychain
[-h
]
[-d
user|system|common|dynamic]
[-s
[keychain]] Display or
set the default keychain.
login-keychain
[-h
]
[-d
user|system|common|dynamic]
[-s
[keychain]] Display or
set the login keychain.
create-keychain
[-hP
]
[-p
password]
[keychain...] Create keychains.
delete-keychain
[-h
]
[keychain...] Delete keychains and remove them from
the search list.
lock-keychain
[-h
]
[-a
|keychain] Lock
keychain, or the default keychain if none is
specified. If the -a
option is specified, all
keychains are locked.
unlock-keychain
[-hu
]
[-p
password]
[keychain] Unlock keychain, or
the default keychain if none is specified.
set-keychain-settings
[-hlu
] [-t
timeout] [keychain] Set
settings for keychain, or the default keychain if
none is specified.
set-keychain-password
[-h
]
[-o
oldPassword]
[-p
newPassword]
[keychain] Set password for
keychain, or the default keychain if none is
specified.
show-keychain-info
[keychain] Show the settings for
keychain.
dump-keychain
[-adhir
]
[keychain...] Dump the contents of one or more
keychains.
create-keypair
[-h
]
[-a
alg]
[-s
size]
[-f
date]
[-t
date]
[-d
days]
[-k
keychain]
[-A
|-T
appPath] [description] Create
an asymmetric key pair.
-a
alg-s
size-f
date-t
date-d
days-k
keychain-A
-T
appPath-T
options are allowed)add-generic-password
[-h
]
[-a
account]
[-s
service]
[-w
password]
[options...]
[-A
|-T
appPath] [keychain] Add a
generic password item.
-a
account-c
creator-C
type-D
kind-G
value-j
comment-l
label-s
service-p
password-w
)-w
password-A
-T
appPath-T
options are allowed)-U
-X
password-T
"". If no keychain is specified,
the password is added to the default keychain.
add-internet-password
[-h
]
[-a
account]
[-s
server]
[-w
password]
[options...]
[-A
|-T
appPath] [keychain] Add an
internet password item.
-a
account-c
creator-C
type-d
domain-D
kind-j
comment-l
label-p
path-P
port-r
protocol-s
server-t
authenticationType-w
password-A
-T
appPath-T
options are allowed)-U
-X
password-T
"". If no keychain is specified,
the password is added to the default keychain.
add-certificates
[-h
]
[-k
keychain]
file... Add certficates contained in the specified
files to the default keychain. The files must
contain one DER encoded X509 certificate each.
-k
keychainfind-generic-password
[-h
]
[-a
account]
[-s
service]
[options...] [-g
]
[keychain...] Find a generic password item.
-a
account-c
creator-C
type-D
kind-G
value-j
comment-l
label-s
service-g
-w
delete-generic-password
[-h
] [-a
account] [-s
service] [options...]
[keychain...] Delete a generic password item.
delete-internet-password
[-h
] [-a
account] [-s
server] [options...]
[keychain...] Delete an internet password item.
-a
account-c
creator-C
type-d
securityDomain-D
kind-j
comment-l
label-p
path-P
port-r
protocol-s
server-t
authenticationTypefind-internet-password
[-h
] [-a
account] [-s
server] [options...]
[-g
] [keychain...] Find an
internet password item.
-a
account-c
creator-C
type-d
securityDomain-D
kind-j
comment-l
label-p
path-P
port-r
protocol-s
server-t
authenticationType-g
-w
find-key
[options...]
[keychain...] Search the keychain for keys.
-a
application-label-c
creator-d
-D
description-e
-j
comment-l
label-r
-s
-t
type-u
-v
-w
set-generic-password-partition-list
[-a
account]
[-s
service]
[-S
partition-list]
[-k
password]
[options...] [keychain] Sets
the "partition list" for a generic password. The "partition
list" is an extra parameter in the ACL which limits access to the
item based on an application's code signature. You must present the
keychain's password to change a partition list.
-S
partition-list-k
password-a
account-c
creator-C
type-D
kind-G
value-j
comment-l
label-s
serviceset-internet-password-partition-list
[-a
account]
[-s
server]
[-S
partition-list]
[-k
password]
[options...] [keychain] Sets
the "partition list" for an internet password. The
"partition list" is an extra parameter in the ACL which limits
access to the item based on an application's code signature. You must
present the keychain's password to change a partition list.
-S
partition-list-k
password-a
account-c
creator-C
type-d
securityDomain-D
kind-j
comment-l
label-p
path-P
port-r
protocol-s
server-t
authenticationTypeset-key-partition-list
[-S
partition-list] [-k
password] [options...]
[keychain] Sets the "partition list" for a
key. The "partition list" is an extra parameter in the ACL which
limits access to the key based on an application's code signature. You
must present the keychain's password to change a partition list. If you'd
like to run /usr/bin/codesign with the key, "apple:" must be an
element of the partition list.
-S
partition-list-k
password-a
application-label-c
creator-d
-D
description-e
-j
comment-l
label-r
-s
-t
type-u
-v
-w
find-certificate
[-h
]
[-a
] [-c
name] [-e
emailAddress] [-m
]
[-p
] [-Z
]
[keychain...] Find a certificate item. If no
keychain arguments are provided, the default search
list is used.
-a
-c
name-e
emailAddress-m
-p
-Z
find-identity
[-h
]
[-p
policy]
[-s
string]
[-v
] [keychain...] Find an
identity (certificate + private key) satisfying a given policy. If no
policy arguments are provided, the X.509 basic
policy is assumed. If no keychain arguments are
provided, the default search list is used.
-p
policy-s
string-v
delete-certificate
[-h
]
[-c
name]
[-Z
hash]
[-t
] [keychain...] Delete a
certificate from a keychain. If no keychain
arguments are provided, the default search list is used.
delete-identity
[-h
]
[-c
name]
[-Z
hash]
[-t
] [keychain...] Delete a
certificate and its private key from a keychain. If no
keychain arguments are provided, the default search
list is used.
set-identity-preference
[-h
] [-n
]
[-c
identity]
[-s
service]
[-u
keyUsage]
[-Z
hash]
[keychain...] Set the preferred identity to use for
a service.
-n
-c
identity-s
service-u
keyUsage-Z
hashget-identity-preference
[-h
] [-s
service] [-u
keyUsage] [-p
]
[-c
] [-Z
] Get the
preferred identity to use for a service.
-s
service-u
keyUsage-p
-c
-Z
create-db
[-aho0
]
[-g
dl|cspdl]
[-m
mode]
[name] Create a db using the DL. If
name isn't provided security
will prompt the user to type a name.
export
[-k
keychain] [-t
type] [-f
format] [-w
]
[-p
] [-P
passphrase] [-o
outfile] Export one or more items from a keychain to
one of a number of external representations. If
keychain isn't provided, items will be exported from
the user's default keychain.
-k
keychain-t
type-f
format-w
-p
-P
passphrase-o
outfileimport
inputfile [-k
keychain] [-t
type] [-f
format] [-w
]
[-P
passphrase]
[options...] Import one or more items from
inputfile into a keychain. If
keychain isn't provided, items will be imported into
the user's default keychain.
-k
keychain-t
type-f
format-w
-x
-P
passphrase-a
attrName attrValue-A
-T
appPath-T
options are allowed)cms
[-C
|-D
|-E
|-S
]
[options...] Encode or decode CMS messages.
-C
-D
-E
-S
-r
id,...-G
-H
hash-N
nick-P
-T
-Y
nick-Z
hash-e
envelope-D
or
-E
)-k
keychain-i
infile-o
outfile-p
password-s
-u
certusage-v
install-mds
Install (or re-install) the Module
Directory Services (MDS) database. This is a system tool which is not
normally used by users. There are no options.
add-trusted-cert
[-d
]
[-r
resultType]
[-p
policy]
[-a
appPath]
[-s
policyString]
[-e
allowedError]
[-u
keyUsage]
[-k
keychain]
[-i
settingsFileIn]
[-o
settingsFileOut]
[certFile] Add certificate (in DER or PEM format)
from certFile to per-user or local Admin Trust
Settings. When modifying per-user Trust Settings, user authentication is
required via an authentication dialog. When modifying admin Trust
Settings, the process must be running as root, or admin authentication is
required.
-d
-r
resultType-p
policy-a
appPath-s
policyString-e
allowedError-u
keyUsage-k
keychain-i
settingsFileIn-o
settingsFileOutsecurity> add-trusted-cert
/tmp/cert.der
security> add-trusted-cert
-d .tmp/cert.der
remove-trusted-cert
[-d
]
certFile Remove certificate (in DER or PEM format) in
certFile from per-user or local Admin Trust
Settings. When modifying per-user Trust Settings, user authentication is
required via an authentication dialog. When modifying admin Trust
Settings, the process must be running as root, or admin authentication is
required.
-d
dump-trust-settings
[-s
]
[-d
] Display Trust Settings.
user-trust-settings-enable
[-d
] [-e
] Display or
manipulate user-level Trust Settings. With no arguments, shows the current
state of the user-level Trust Settings enable. Otherwise enables or
disables user-level Trust Settings.
trust-settings-export
[-s
]
[-d
] settings_file Export Trust Settings to the
specified file.
trust-settings-import
[-d
]
settings_file Import Trust Settings from the specified file. When
modifying per-user Trust Settings, user authentication is required via an
authentication dialog. When modifying admin Trust Settings, the process
must be running as root, or admin authentication is required.
-d
verify-cert
[options...]
[url] Verify one or more certificates. If a direct
URL argument is provided, a TLS connection is attempted and the
certificate presented by that server is evaluated according to standard
SSL server policy; other certificates or policy options will be ignored in
this case.
-c
certFile-r
rootCertFile-p
policy-C
-d
date-k
keychain-n
name-N
-L
-l
-e
emailAddress-s
sslHost-q
-R
revCheckOption-P
-t
-v
authorize
[options...]
right... Authorize requested right(s). The
extend-rights flag will be passed by default.
-u
-p
-d
-P
-l
-i
-e
-w
authorizationdb
read
<right-name>authorizationdb
write
<right-name> [allow|deny|<rulename>]authorizationdb
remove
<right-name> Read/Modify authorization policy database.
Without a rulename write will read a dictionary as a plist from stdin.
execute-with-privileges
<program> [args...]
Execute tool with privileges. On success stdin will be read and forwarded
to the tool.
leaks
[-cycles
]
[-nocontext
] [-nostacks
]
[-exclude
symbol] Run
/usr/bin/leaks
on this process. This can help find
memory leaks after running certain commands.
-cycles
-nocontext
-nostacks
-exclude
symbolsmartcards
token
[-l
] [-e
token] [-d
token] Enable, disable or list disabled smartcard
tokens.
list-smartcards
Display ids
of available smartcards.
export-smartcard
token
[-i
id]
[-t
type]
[-e
exportPath]
Export/display items from a smartcard. If id isn't
provided, items from all smartcards will be displayed.
-i
id-t
certs|privKeys|identities|all-e
exportPatherror
[error-code...]
Display an error string for the given security-related error code. The
error can be in decimal or hex, e.g. 1234 or 0x1234. Multiple errors can
be separated by spaces.
MallocStackLogging
leaks
command or the
-l
option it's probably a good idea to set this
environment variable before security
is started.
Doing so will allow leaks to display symbolic backtraces.Property list file containing the current user's default keychain and keychain search list.
Property list file containing the system default keychain and keychain search list. This is used by processes started at boot time, or those requesting to use the system search domain, such as system daemons.
Property list file containing the common keychain search list, which is appended to every user's search list and to the system search list.
security
was first introduced in Mac OS X
version 10.3.
security
still needs more commands before
it can be considered complete. In particular, it should someday supersede
both the certtool
and
systemkeychain
commands.
March 15, 2017 | Darwin |