Enforcing a password change in the Keychain

I have an existing AppleScript which I need to add a feature to but, before I start asking questions about glitches which I am having in trying to implement the feature, I think I should ask if I am going about the general design the best way.

The existing script is a droplet which receives files and digitally signs them with GPG using a password retrieved from the OS X Keychain. It actually works remarkably well but now I need to comply with a new state law requiring passwords for digital signatures (in my industry) to be changed every 60 days. It would make no sense to comply with the requirement by changing the GPG password because the user never even sees that password. It’s stored in the Keychain and it’s the Keychain password that they have to enter when they want to sign documents. So, what I think I need to do is enforce changing of a Keychain password every 60 days. The trouble is that that doesn’t seem to be a feature of Keychain Scripting (and, in a way, goes against the grain of the whole concept of the Keychain). Nevertheless, I think the method below should be possible (using the features which Keychain Scripting does have) although I am having trouble trying to code it at just about every step along the way.

I will need to store the key for my application in it’s own separate Keychain, rather than in the login Keychain as I am doing now.

Then the process is:

  1. Get the key from the Keychain
  2. Check to see if the creation date of the key is more than 60 days ago.
  3. If the key is too old then rename the keychain to “old keychain”
  4. Create a new keychain (Keychain Access asks for a password).
  5. Make a new key in the new keychain with info from the old key.
  6. Delete the old keychain.
    … resume processing of the files

The difficulties here include the fact that Keychain Scripting can manage passwords of keys but not of keychains. Similarly, you can get the creation date of a key but not the creation date of a keychain. At this point, I don’t see any way to prevent the user from just entering the same old password when the new keychain is created.

Does this make sense? Is there a better way to do it?


What if you create a key for each new keychain at the same time the keychain is created. The key would hold the date created and the same password.

Editted: sorry I just reread your algorithm and it’s the same thing. :slight_smile:

So the problem is not allowing the user to use the same password.

Why can’t you just compare the old password with the new one?


Actually, what I figured I would do originally was have the AppleScript prompt for a password, check to see if that password can unlock the old keychain and if not then it must be a new password and the script can then go ahead and use it to create a new keychain. I went to go do that and then realized that Keychain Scripting can neither set nor retreive the password of a keychain. It can only do that for keys. When you tell Keychain Scripting to unlock a keychain, it passes that message to Keychain Access which prompts the user for a password. AppleScript can’t touch that process except to initiate it and recieve the message back that it’s done. Similarly, when you give the command to make a new keychain, you can’t have AppleScript handle the password.

I think I would just have one keychain “Passwords” that contain keys for each user.

I was wondering how you were handling the keychain passwords. If you have the password, then I’m quite sure that you can unlock the keychain.

Edit: and onother think I wanted to say is that yu can get the creation date of the keychain file at:

“Macintosh HD:Users:userName:Library:Keychains:Passwords”


Yes, the following script unlocked a locked keychain named “Passwords”.

display dialog “Enter your password:” default answer “”
set pw to text returned of result
tell application “Keychain Scripting”
unlock keychain “Passwords” with password pw
end tell



On my machine (OS 10.4.5) the ‘creation date’ property seems to be broken in Keychain Scripting.

Try this: make a new key in your login chain with Keychain Access with the name ‘test’, then run this script:

tell application "Keychain Scripting"
	set myDate to creation date of first key of (first keychain whose name is "login.keychain") whose name is "test"
end tell
--> date "Friday, January 1, 1904 00:00:00"

The date is always the same for any key I look at. The results are the same for ‘modification date’. I also don’t have the folder “Macintosh HD:Users:userName:Library:Keychains:Passwords”.

Without this working I don’t see how you can know when the keys were created.

Best wishes

John M

I haven’t been having trouble unlocking keychains. What I need to do is two other things. First, either have an AppleScrip change the keychain password or, failing that, create a new keychain with a new password. Second, I need a way to know that the new password is not the same as the old one. All this can be done for individual keys in the keychain but I haven’t been able to figure out how to do it for the keychain itself. Maybe it’s deliberately beyond the reach of AppleScript for security reasons.

Good, that solves one problem. Thanks.

That’s one of the other problems I ran into. I also get “Friday, January 1, 1904 00:00:00” for the creation and modification dates of every key using the same code as you reported. I can get other properties, including passwords and even comments, with no problem. I was figuring that this issue would be solvable one way or another and it was more important to figure out whether the overall process would work.


John, I didn’t expect that! There is no keychain folder in Tiger? Try the following:

set keychain_name to “Passwords” – change this test keychain name
set keychain_folder to (path to “kchn”) as string
set keychain_ref to (keychain_folder & keychain_name) as alias
set creation_date to (creation date of (info for keychain_ref))

fingal, about the other way of just using one keychain that holds passwords, you could maybe write to a key’s comment, the creation date. I’m thinking that something like this might be the only solution, since the creation date returns 1904, unless there is a keychain folder that holds all the keychain files.


Hi Kel,

Sorry, my misunderstanding. I was taking “Macintosh HD:Users:userName:Library:Keychains:Passwords” too literally. Yes there is a folder “Macintosh HD:Users:userName:Library:Keychains” with keychain files in it.

I was thinking something similar, you could write the creation date to a preference folder.

I’m still not quite sure why this password can’t go into the login keychain?

John M

Hi John,

fingal didn’t want to do that because you can’t get or change the password of a key chain through script. But you can make a key whose password you can get or change. So I said, instead of doing that, you could make one keychain (Passwords) that holds all the keys. This way, you only need to unlock one key chain instead of storing or asking for passwords to many keychains. The other method fingal was thinking about was to create new keychains for every user. The thing that’s wrong with this is you can’t delete a keychain I think. .

All the methods are doable. You still need to create keys for each user.

Edit: and I almost forgot one of the main things. The user can’t be allowed to use the same password when it’s time to change it. So, they can’t enter their keychain password. That’s how fingal’s script was doing it and you can’t use theat same method.