Update for macOS High Sierra.

This commit addresses #3 by implementing the fix suggested here: https://gist.github.com/rmondello/b933231b1fcc83a7db0b#gistcomment-2272755
lifepillar · Jun 11, 2018 · f713a2a · f713a2a
1 parent a50892e
commit f713a2a
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 27 deletions.
diff --git a/CSVKeychain.applescript b/CSVKeychain.applescript
@@ -623,41 +623,28 @@ end dumpKeychainWithoutPasswords
 *)
 on dumpKeychainWithPasswords(keychain, dumpPath, mode)
 
+	display dialog Â
+		"Type password to unlock keychain items" default answer "" buttons {"Cancel", "OK"} default button "OK" cancel button "Cancel" with title "Set password" with icon note with hidden answer
+
+	set thePassword to the text returned of the result
+
 	-- Run security in the background and redirect the output to a file
 	-- TODO: DUMP ACLs?
+
 	do shell script Â
 		"security -q dump-keychain -d " & quoted form of POSIX path of the keychain & " &>" & quoted form of dumpPath & " &"
 
 	delay 0.5 -- Wait a bit for SecurityAgent to start
 
-	repeat
-
-		try
-
-			allowSecurityAccess(mode)
-			delay 0.2 -- Wait for the next SecurityAgent process
-
-		on error
-
-			try -- to wait a bit if security is still running
-
-				do shell script "ps -x -o comm | grep ^security$" -- Exit code 1 if grep fails to match
-				delay 1
-
-			on error
-				exit repeat
-			end try
-
-		end try
-
-	end repeat
+	allowSecurityAccess(thePassword)
 
 	readUTF8File(dumpPath)
 
 end dumpKeychainWithPasswords
 
 
 (*!
+
 	@abstract
 		Dismisses a SecurityAgent's dialog by pressing the specified button.
 	@discussion
@@ -671,12 +658,23 @@ end dumpKeychainWithPasswords
 	@throws
 		Nothing.
 *)
-on allowSecurityAccess(mode)
+on allowSecurityAccess(thePassword)
 
 	tell application "System Events"
-		tell process "SecurityAgent"
-			click button mode of window 1
-		end tell
+		repeat while exists (processes where name is "SecurityAgent")
+			tell process "SecurityAgent"
+				set frontmost to true
+				try
+					keystroke thePassword
+					delay 0.1
+					keystroke return
+					delay 0.1
+				on error
+					-- do nothing to skip the error
+				end try
+			end tell
+			delay 0.5
+		end repeat
 	end tell
 
 end allowSecurityAccess

diff --git a/Readme.md b/Readme.md
@@ -7,7 +7,8 @@ and import them back into a keychain.
 No trick or reverse engineering is used: exporting is performed by Apple's
 `security` tool, using macOS's assistive support to streamline the process.
 
-Tested in macOS Sierra. Earlier versions of macOS/OS X are not supported.
+The current master should work in (High) Sierra.
+Earlier versions of macOS/OS X are not supported.
 
 
 ## How to use
@@ -16,14 +17,25 @@ To import/export password items, open the AppleScript script in Script Editor.
 The script may be run from source.
 
 Before running the script, go to System Preferences > Security & Privacy >
-Accessibility, and allow Script Editor to control your computer. This step is
+Privacy > Accessibility, and allow Script Editor to control your computer.
+This step is
 required to avoid SecurityAgent to prompt you with a dialog for each item you
 want to export. It basically allows AppleScript to press the Allow button in
 such dialogs for you.
 
 You may also build the script into an application if you want. In this case, you
 must grant the app control of your computer in the same way.
 
+The script always asks for the password to unlock your keychain (you recognise
+the dialog by the AppleScript Script icon). Since that dialog is not very
+secure, it is recommended that you change your keychain's password in
+Keychain.app before exporting your keychain, and restore the original password
+afterwards. You may also be asked to unlock your keychain by SecurityAgent
+(which you do by providing your keychain's password). So, you may have to enter
+your keychain's password once or twice. After that, SecurityAgent will keep
+prompting for a password for each exported item, but the script should fill it
+out for you automatically, so no further action from you will be required.
+
 The script makes a backup of the keychain before importing or exporting data.
 Backups are timestamped and saved into the same folder containing the keychain.
 In any case, it is a good idea to keep a separate backup, just in case.
@@ -41,6 +53,20 @@ the CSV file.
 Finally, access control lists are not exported.
 
 
+## Troubleshooting
+
+If you get this error:
+
+```
+This script will be terminated prematurely because the following error has
+occurred:
+
+security: SecKeychainUnlock [...]: The user name or
+passphrase you entered is not correct. (Error number: 51)
+```
+
+open Keychain.app and lock your keychain. Then, run the script again.
+
 ## Merging files
 
 A Ruby script is provided to merge two CSV files containing password data into