macos_keychain {oskeyring}R Documentation

Query and manipulate the macOS Keychain


⁠macos_item_*⁠ functions add, delete, update and search Keychain items.

⁠macos_keychain_*⁠ functions create, delete, list, lock, unlock keychains.

macos_item_classes() lists the supported Keychain item classes. macos_item_attr() lists the supported attributes for these classes. macos_item_match_options() lists the options supported by the match argument of macos_item_search().



macos_item(value, attributes = list(), class = "generic_password")

macos_item_add(item, keychain = NULL)

  class = "generic_password",
  attributes = list(),
  match = list(),
  return_data = FALSE,
  keychain = NULL

  class = "generic_password",
  attributes = list(),
  match = list(),
  update = list(),
  keychain = NULL

  class = "generic_password",
  attributes = list(),
  match = list(),
  keychain = NULL

macos_keychain_create(keychain, password = NULL)

macos_keychain_list(domain = c("all", "user", "system", "common", "dynamic"))


macos_keychain_lock(keychain = NULL)

macos_keychain_unlock(keychain = NULL, password = NULL)

macos_keychain_is_locked(keychain = NULL)





Value of the item, a password, key or certificate. It must a raw vector or a string. If it is a string, then it is converted to UTF-8.


Narrow the search by indicating the attributes that the found item or items should have.


Type of items to search, see macos_item_classes() for possible values.


Keychain item, creted via macos_item() or returned by oskeyking itself.


Keychain to use. NULL means the default one.


Condition the search in a variety of ways. For example, you can limit the results to a specific number of items, control case sensitivity when matching string attributes, etc. See 'Search parameters' below.


Whether to include the secret data in the search result. If this is set to TRUE, then you'll have to set the limit parameter (in the match argument) to a finite value. If this is TRUE, then macOS will prompt you for passwords if necessary. You might get multiple password prompts, if you set limit to a larger than one value.


Named list specifying the new values of attributes.


Password to unlock the keychain, or new password to set when creating a new keychain. May be NULL in interactive sessions, to force a secure password dialog.


The preference domain from which you wish to retrieve the keychain search list:

  • "all": include all keychains currently on the search list,

  • "user": user preference domain,

  • "system": system or daemon preference domain,

  • "common": keychains common to everyone,

  • "dynamic": dynamic search list (typically provided by removable keychains such as smart cards).


macos_item_classes() returns a character vector, the names of the supported keychain item classes.

macos_item() returns a new oskeyring_macos_item object.

macos_item_add() returns NULL, invisibly.

macos_item_search() returns a list of keychain items.

macos_item_update() returns NULL, invisibly.

macos_item_delete() returns NULL, invisibly.

macos_keychain_create() returns NULL, invisibly.

macos_keychain_list() returns a data frame with columns:

macos_keychain_delete() returns NULL, invisibly.

macos_keychain_lock() returns NULL, invisibly.

macos_keychain_unlock() returns NULL, invisibly.

macos_keychain_is_locked() returns TRUE or FALSE.

macos_item_attr() returns a list of lists of character scalars, the description of keychain item attributes, for each keychain item class.

macos_item_match_options() returns a list of character scalars, the description of the supported match options.

Keychain items

macos_item_classes() returns the currently supported Keychain item classes.

#> [1] "generic_password"  "internet_password"

macos_item() creates a new Keychain item. See the next section about the attributes that are supported for the various item types.

it <- macos_item("secret", list(service = "My service", account = "Gabor"))
#> <oskeyring_macos_item: generic_password>
#>  account: Gabor
#>  service: My service
#>  value: <-- hidden -->

macos_item_add() adds an item to the keychain. If there is already an item with the same primary keys, then it will error.


macos_item_search() searches for Keychain items. If return_data is TRUE then it also returns the secret data. Returning the secret data might create a password entry dialog. If return_data is TRUE then you need to set the limit match condition to a (small) finite number.

macos_item_search(attributes = list(service = "My service"))
#> [[1]]
#> <oskeyring_macos_item: generic_password>
#>  account: Gabor
#>  creation_date: 2022-10-27 11:08:28
#>  label: My service
#>  modification_date: 2022-10-27 11:08:28
#>  service: My service

macos_item_update() updates existing Keychain items.

  attributes = list(service = "My service", account = "Gabor"),
  update = list(account = "Gabor Csardi")
macos_item_search(attributes = list(service = "My service"))
#> [[1]]
#> <oskeyring_macos_item: generic_password>
#>  account: Gabor Csardi
#>  creation_date: 2022-10-27 11:08:28
#>  label: My service
#>  modification_date: 2022-10-27 11:08:28
#>  service: My service

macos_item_delete() deletes one or more Keychain items. Note that all matching items will be deleted.

macos_item_delete(attributes = list(service = "My service"))
macos_item_search(attributes = list(service = "My service"))
#> list()

Keychain Item Attributes

Attributes for generic passwords
Attributes for internet passwords

Search Parameters

osxkeychain only supports a limited set of search parameters. You can provide these for macos_item_search() as the match argument:


macOs supports multiple keychains. There is always a default keychain, which is the user's login keychain, unless configured differently. There is also a keychain search list. Keychains may belong into four non-exclusive categories, see the domain argument of macos_keychain_list(). A keychain is stored in an encrypted file on the disk, see the first column of the output of macos_keychain_list().

⁠macos_item_*()⁠ functions have a keychain argument to direct or restrict the operation to a single keychain only. These are the defaults:

macos_keychain_create() creates a new keychain.

macos_keychain_list() lists all keychains on the search list.

new <- "~/Library/Keychains/test.keychain-db"
macos_keychain_create(new, password = "secret")
##                                                     path is_unlocked
## 1 /Users/gaborcsardi/Library/Keychains/login.keychain-db        TRUE
## 2 /Users/gaborcsardi/Library/Keychains/shiny.keychain-db       FALSE
## 3  /Users/gaborcsardi/Library/Keychains/test.keychain-db        TRUE
## 4                     /Library/Keychains/System.keychain       FALSE
##   is_readable is_writeable
## 1        TRUE         TRUE
## 2        TRUE        FALSE
## 3        TRUE         TRUE
## 4        TRUE        FALSE

macos_keychain_lock() locks a keychain. macos_keychain_unlock() unlocks a keychain. macos_keychain_is_locked() checks if a keychain is locked.

## [1] TRUE
macos_keychain_unlock(new, password = "secret")
## [1] FALSE

macos_keychain_delete() deletes a keychain: it removes it from the search list and deletes the data from the disk. It currently refuses to delete the user's login keychain and the system keychain. Use Keychain Access instead if you want to delete these. (Only do this if you are aware of the bad consequences.)

##                                                     path is_unlocked
## 1 /Users/gaborcsardi/Library/Keychains/login.keychain-db        TRUE
## 2 /Users/gaborcsardi/Library/Keychains/shiny.keychain-db       FALSE
## 3                     /Library/Keychains/System.keychain       FALSE
##   is_readable is_writeable
## 1        TRUE         TRUE
## 2        TRUE        FALSE
## 3        TRUE        FALSE

See Also

The Keychain Services API documentation at


# See above

[Package oskeyring version 0.1.6 Index]