Instantly share code, notes, and snippets.

Embed
What would you like to do?
Exporting (iCloud) Keychain and Safari credentials to a CSV file

Exporting (iCloud) Keychain and Safari credentials to a CSV file

After my dad died, I wanted to be able to have access any of his online accounts going forward. My dad was a Safari user and used iCloud Keychain to sync his credentials across his devices. I don’t want to have to keep an OS X user account around just to access his accounts, so I wanted to export his credentials to a portable file.

This is the process I used to create a CSV file of his credentials in the format “example.com,user,pass”. This portable format would be pretty easy to import into 1Password or Safari in the future.

The way I went about this isn’t great; it opens up more opportunities for apps to control one’s Mac through Accessibility APIs, it writes plaintext passwords to disk, and it could use some cleaning up. A better approach might leverage the security command line tool that ships with OS X. That said, I found this method to be a fun illustration of what’s possible using AppleScript (or JavaScript!) and UI scripting on OS X.

Copy the iCloud Keychain into a local Keychain

One’s iCloud Keychain is stored on disk in a different format than a traditional keychain. To access the credentials, I first created a traditional keychain with the iCloud Keychain’s contents. To do this, I clicked File > New Keychain (⌥⌘N) in Keychain Access. In my case, I saved the new keychain to the desktop. I clicked on iCloud in the sidebar, selected all of the passwords, and copied them. I selected the new keychain I just created and pasted the passwords.

Screenshot of Keychain Access asking for the "Local Items" keychain password

Keychain Access prompted me for the “Local Items” keychain password for every password I was pasting. In my case, this would have been over 200 times!

Automating typing the keychain password and clicking “OK”

I ran the following script to take care of this:

-- Taken from a comment by Mr. X on http://selfsuperinit.com/2014/01/20/exporting-icloud-keychain-passwords-as-a-plain-text-file/
set keychainPassword to "keychain password"

tell application "System Events"
    repeat while exists (processes where name is "SecurityAgent")
        tell process "SecurityAgent"
            set value of text field 1 of window 1 to keychainPassword
            click button "OK" of window 1
        end tell
        delay 0.2
    end repeat
end tell

Whatever process is running this script (Script Editor or a standalone bundle), it’ll need permission to “control your computer”.

Screenshot Security & Privacy > Privacy > Accessibility

After that runs, the recently-created local keychain should contain all of the passwords stored in iCloud Keychain.

Write all of the passwords from the keychain to a file

I grabbed a copy of Daniel Jalkut’s “Usable Keychain Scripting” utility to help with the next part, but someone more sane might turn to security.

I ran the following script to write the passwords out to disk:

set the logFile to ((path to desktop) as string) & "Passwords"
set keychainPath to "/Users/Dad/Desktop/dad.keychain"

-- write_to_file taken from http://www.macosxautomation.com/applescript/sbrt/sbrt-09.html
on write_to_file(this_data, target_file, append_data)
    try
        set the target_file to the target_file as string
        set the open_target_file to open for access file target_file with write permission
        if append_data is false then set eof of the open_target_file to 0
        write this_data to the open_target_file starting at eof
        close access the open_target_file
        return true
    on error
        try
            close access file target_file
        end try
        return false
    end try
end write_to_file

tell application "Usable Keychain Scripting"
    set keychainItems to get every keychain item of keychain keychainPath
    repeat with keychainItem in keychainItems
        set aServer to server in keychainItem
        set anAccount to account in keychainItem
        set aPassword to password in keychainItem

        set csvEntry to aServer & "," & anAccount & "," & aPassword & "
"

        my write_to_file(csvEntry, logFile, true)
    end repeat
end tell

There’s a lot that can be improved with this code. For instance, I could have used a consistent naming style between copied and non-copied code. If I took the time to look up an array or list "join" routine, the intent of the could could have been better communicated.

Here again, OS X’s Keychain wanted to do its job, prompting me to allow access for each of the 200+ items.

-- Taken from a comment by Mr. X on http://selfsuperinit.com/2014/01/20/exporting-icloud-keychain-passwords-as-a-plain-text-file/
tell application "System Events"
    repeat while exists (processes where name is "SecurityAgent")
        tell process "SecurityAgent"
            click button "Allow" of window 1
        end tell
        delay 0.2
    end repeat
end tell

After that, I had my file. Inelegant, but it got the job done, and I had fun.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Jul 1, 2015

Hi Ricky,
May I ask how did you find the value of the "Local Items" password?
Thanks!

ghost commented Jul 1, 2015

Hi Ricky,
May I ask how did you find the value of the "Local Items" password?
Thanks!

@FreekSanders

This comment has been minimized.

Show comment
Hide comment
@FreekSanders

FreekSanders Oct 22, 2015

Thanks! It worked quite nicely :D

FreekSanders commented Oct 22, 2015

Thanks! It worked quite nicely :D

@marty-b1

This comment has been minimized.

Show comment
Hide comment
@marty-b1

marty-b1 Jun 23, 2016

This doesn't work for me, I get the following error:


keychain.sh: line 1: syntax error near unexpected token `('
keychain.sh: line 1: `set the logFile to ((path to desktop) as string) & "Passwords"'

Any way to fix this? This is for OS X 10.11.5

Thanks.

marty-b1 commented Jun 23, 2016

This doesn't work for me, I get the following error:


keychain.sh: line 1: syntax error near unexpected token `('
keychain.sh: line 1: `set the logFile to ((path to desktop) as string) & "Passwords"'

Any way to fix this? This is for OS X 10.11.5

Thanks.

@wknechtel

This comment has been minimized.

Show comment
Hide comment
@wknechtel

wknechtel Sep 7, 2016

Works beautifully - even for Yosemite. Thanks!

wknechtel commented Sep 7, 2016

Works beautifully - even for Yosemite. Thanks!

@AlexandreCassagne

This comment has been minimized.

Show comment
Hide comment
@AlexandreCassagne

AlexandreCassagne Nov 7, 2016

Did anyone get this to work in Sierra ?

AlexandreCassagne commented Nov 7, 2016

Did anyone get this to work in Sierra ?

@scarlac

This comment has been minimized.

Show comment
Hide comment
@scarlac

scarlac Dec 17, 2016

@AlexandreCassagne Yes, I got it working in Sierra, specifically version 10.12.2 (16C67).

For me, I got a lot of "duplicate" error prompts so I wrapped the security prompts in a try-on-error block like this:

-- Taken from a comment by Mr. X on http://selfsuperinit.com/2014/01/20/exporting-icloud-keychain-passwords-as-a-plain-text-file/
set keychainPassword to "secret"

tell application "System Events"
	repeat while exists (processes where name is "SecurityAgent")
		tell process "SecurityAgent"
			try -- added
				set value of text field 1 of window 1 to keychainPassword
				click button "OK" of window 1
			on error -- added
				-- do nothing and skip -- added
			end try -- added
		end tell
		delay 0.2
	end repeat
end tell

And I also did it for the final export where I got some other errors:

tell application "System Events"
	repeat while exists (processes where name is "SecurityAgent")
		try -- added
			tell process "SecurityAgent"
				click button "Allow" of window 1
			end tell
		on error -- added
			-- ignore it -- added
		end try -- added
		delay 0.2
	end repeat
end tell

Please ensure that you have a comment in the "on error" block, or else the Script Editor will optimize it out. Also, in case anybody is wondering, the "Usable Keychain Secripting" app just runs invisibly in the background. I couldn't tell it was working but the script ran just fine so, yeah.

scarlac commented Dec 17, 2016

@AlexandreCassagne Yes, I got it working in Sierra, specifically version 10.12.2 (16C67).

For me, I got a lot of "duplicate" error prompts so I wrapped the security prompts in a try-on-error block like this:

-- Taken from a comment by Mr. X on http://selfsuperinit.com/2014/01/20/exporting-icloud-keychain-passwords-as-a-plain-text-file/
set keychainPassword to "secret"

tell application "System Events"
	repeat while exists (processes where name is "SecurityAgent")
		tell process "SecurityAgent"
			try -- added
				set value of text field 1 of window 1 to keychainPassword
				click button "OK" of window 1
			on error -- added
				-- do nothing and skip -- added
			end try -- added
		end tell
		delay 0.2
	end repeat
end tell

And I also did it for the final export where I got some other errors:

tell application "System Events"
	repeat while exists (processes where name is "SecurityAgent")
		try -- added
			tell process "SecurityAgent"
				click button "Allow" of window 1
			end tell
		on error -- added
			-- ignore it -- added
		end try -- added
		delay 0.2
	end repeat
end tell

Please ensure that you have a comment in the "on error" block, or else the Script Editor will optimize it out. Also, in case anybody is wondering, the "Usable Keychain Secripting" app just runs invisibly in the background. I couldn't tell it was working but the script ran just fine so, yeah.

@Fall711

This comment has been minimized.

Show comment
Hide comment
@Fall711

Fall711 Feb 19, 2017

Hi,

I want to leave Apple and my Macbook Pro and i simply want to export all my stored passwords...

I didn't manage to get this script working and i'm really bored of Apple things...

I feel like i can't control my own data because Apple decided to do as they want to...

Can someone help me ?

Thank you.

Fall711 commented Feb 19, 2017

Hi,

I want to leave Apple and my Macbook Pro and i simply want to export all my stored passwords...

I didn't manage to get this script working and i'm really bored of Apple things...

I feel like i can't control my own data because Apple decided to do as they want to...

Can someone help me ?

Thank you.

@raywang13

This comment has been minimized.

Show comment
Hide comment
@raywang13

raywang13 Mar 22, 2017

I get this error on set keychainItems to get every **keychain** item of keychain keychainPath on the keyword **keychain**

error: Expected class name but found identifier.

Is anyone else getting this error? I'm running this in ScriptEditor.

raywang13 commented Mar 22, 2017

I get this error on set keychainItems to get every **keychain** item of keychain keychainPath on the keyword **keychain**

error: Expected class name but found identifier.

Is anyone else getting this error? I'm running this in ScriptEditor.

@lifepillar

This comment has been minimized.

Show comment
Hide comment
@lifepillar

lifepillar Apr 3, 2017

someone more sane might turn to security.

I may be the one: https://github.com/lifepillar/CSVKeychain

:)

lifepillar commented Apr 3, 2017

someone more sane might turn to security.

I may be the one: https://github.com/lifepillar/CSVKeychain

:)

@IgorVoiT

This comment has been minimized.

Show comment
Hide comment
@IgorVoiT

IgorVoiT Jul 4, 2017

Work's nice in sierra 👍

IgorVoiT commented Jul 4, 2017

Work's nice in sierra 👍

@geoffmyers

This comment has been minimized.

Show comment
Hide comment
@geoffmyers

geoffmyers Jul 6, 2017

I receive the following error message in macOS High Sierra 10.13 Beta (17A291m):

error "System Events got an error: Can’t get window 1 of process \"SecurityAgent\". Invalid index." number -1719 from window 1 of process "SecurityAgent"

geoffmyers commented Jul 6, 2017

I receive the following error message in macOS High Sierra 10.13 Beta (17A291m):

error "System Events got an error: Can’t get window 1 of process \"SecurityAgent\". Invalid index." number -1719 from window 1 of process "SecurityAgent"

@BadPirate

This comment has been minimized.

Show comment
Hide comment
@BadPirate

BadPirate Jul 14, 2017

Same problem as @geoffmyers -- However I'm running OS X 10.12.4

BadPirate commented Jul 14, 2017

Same problem as @geoffmyers -- However I'm running OS X 10.12.4

@BadPirate

This comment has been minimized.

Show comment
Hide comment
@BadPirate

BadPirate Jul 14, 2017

Additionally, if I manually enter my iCloud password I get:

"An error has occurred, unable to add an item to the current keychain"

screen shot 2017-07-14 at 2 57 13 pm

BadPirate commented Jul 14, 2017

Additionally, if I manually enter my iCloud password I get:

"An error has occurred, unable to add an item to the current keychain"

screen shot 2017-07-14 at 2 57 13 pm

@yoyoitsevan

This comment has been minimized.

Show comment
Hide comment
@yoyoitsevan

yoyoitsevan Jul 22, 2017

if you get an error when you're exporting your "iCloud passwords" it means your iCloud keychain is still enabled. Disable iCloud keychain in system preferences -> iCloud and elect to "save all items" and then all the iCloud password items will move to "login items" in keychain access.. and then you shouldn't have an issue from there

yoyoitsevan commented Jul 22, 2017

if you get an error when you're exporting your "iCloud passwords" it means your iCloud keychain is still enabled. Disable iCloud keychain in system preferences -> iCloud and elect to "save all items" and then all the iCloud password items will move to "login items" in keychain access.. and then you shouldn't have an issue from there

@cooler9711

This comment has been minimized.

Show comment
Hide comment
@cooler9711

cooler9711 Oct 7, 2017

I'm having the same problem as @geoffmyers. Any fix for this yet?

cooler9711 commented Oct 7, 2017

I'm having the same problem as @geoffmyers. Any fix for this yet?

@htmlarson

This comment has been minimized.

Show comment
Hide comment
@htmlarson

htmlarson Oct 7, 2017

It turns out that the security dialog really wants your content. I fixed it by removing the delays, adding a "try" wrapper, and then sitting there and moving the window little bit. As soon as I did that, it was able to find the window and enter it. Much faster.

set keychainPassword to "keychain password"

tell application "System Events"
	repeat while exists (processes where name is "SecurityAgent")
		try
			tell process "SecurityAgent" to set frontmost to true
			tell process "SecurityAgent"
				set frontmost to true
				
				set value of text field 1 of window 1 to keychainPassword
				click button "OK" of window 1
			end tell
		end try
	end repeat
end tell

htmlarson commented Oct 7, 2017

It turns out that the security dialog really wants your content. I fixed it by removing the delays, adding a "try" wrapper, and then sitting there and moving the window little bit. As soon as I did that, it was able to find the window and enter it. Much faster.

set keychainPassword to "keychain password"

tell application "System Events"
	repeat while exists (processes where name is "SecurityAgent")
		try
			tell process "SecurityAgent" to set frontmost to true
			tell process "SecurityAgent"
				set frontmost to true
				
				set value of text field 1 of window 1 to keychainPassword
				click button "OK" of window 1
			end tell
		end try
	end repeat
end tell
@shahab1363

This comment has been minimized.

Show comment
Hide comment
@shahab1363

shahab1363 Nov 13, 2017

Thanks @rmondello and @htmlarson
your tips really helped me. I mixed @htmlarson snippet with MouseTools (http://www.hamsoftengineering.com/codeSharing/MouseTools/MouseTools.html) and it worked perfectly! 👍

shahab1363 commented Nov 13, 2017

Thanks @rmondello and @htmlarson
your tips really helped me. I mixed @htmlarson snippet with MouseTools (http://www.hamsoftengineering.com/codeSharing/MouseTools/MouseTools.html) and it worked perfectly! 👍

@jjennings089

This comment has been minimized.

Show comment
Hide comment
@jjennings089

jjennings089 Nov 30, 2017

To work on High Sierra: (note I build this from all the other comments so thank you to all who contributed to commenting)

tell application "System Events"
	repeat while exists (processes where name is "SecurityAgent")
		tell process "SecurityAgent"
			set frontmost to true
			if (count of windows) > 0 then
				set window_name to name of front window
			end if
			try
				keystroke "password"
				delay 0.1
				keystroke return
				delay 0.1
			on error
				-- do nothing to skip the error
			end try
		end tell
		delay 0.5
	end repeat
end tell

jjennings089 commented Nov 30, 2017

To work on High Sierra: (note I build this from all the other comments so thank you to all who contributed to commenting)

tell application "System Events"
	repeat while exists (processes where name is "SecurityAgent")
		tell process "SecurityAgent"
			set frontmost to true
			if (count of windows) > 0 then
				set window_name to name of front window
			end if
			try
				keystroke "password"
				delay 0.1
				keystroke return
				delay 0.1
			on error
				-- do nothing to skip the error
			end try
		end tell
		delay 0.5
	end repeat
end tell
@SidorovX86

This comment has been minimized.

Show comment
Hide comment
@SidorovX86

SidorovX86 Dec 3, 2017

@jjennings089, It works now perfectly!

SidorovX86 commented Dec 3, 2017

@jjennings089, It works now perfectly!

@duplex143

This comment has been minimized.

Show comment
Hide comment
@duplex143

duplex143 Dec 12, 2017

@raywang13
Install Usable Keychain Scripting app at http://red-sweater.com/blog/downloads/UsableKeychainScripting.dmg

duplex143 commented Dec 12, 2017

@raywang13
Install Usable Keychain Scripting app at http://red-sweater.com/blog/downloads/UsableKeychainScripting.dmg

@pchiu33

This comment has been minimized.

Show comment
Hide comment
@pchiu33

pchiu33 Dec 16, 2017

@jjennings089 Thanks: this is the only script that works out-of-the-box (I'm on High Sierra 10.13.2)

pchiu33 commented Dec 16, 2017

@jjennings089 Thanks: this is the only script that works out-of-the-box (I'm on High Sierra 10.13.2)

@bnightstar

This comment has been minimized.

Show comment
Hide comment
@bnightstar

bnightstar Jan 22, 2018

Thank you for this one I was struggling to get my data out of iCloud keychain that stopped syncing for got know what reason and this script helped me make a backup of my passwords. Life changing for me.

bnightstar commented Jan 22, 2018

Thank you for this one I was struggling to get my data out of iCloud keychain that stopped syncing for got know what reason and this script helped me make a backup of my passwords. Life changing for me.

@GermanMinerDE

This comment has been minimized.

Show comment
Hide comment
@GermanMinerDE

GermanMinerDE Feb 3, 2018

Very good! Last post by jjennigs089 worked perfectly for me!

GermanMinerDE commented Feb 3, 2018

Very good! Last post by jjennigs089 worked perfectly for me!

@marcotini

This comment has been minimized.

Show comment
Hide comment
@marcotini

marcotini Mar 18, 2018

@jjennings089 it's not working like it should, sometimes (I mean, like 20 times in 2000 passwords) appear a message like this and interrupts all the process. I tried to click OK but it's not working...

screen shot 2018-03-17 at 20 06 25

marcotini commented Mar 18, 2018

@jjennings089 it's not working like it should, sometimes (I mean, like 20 times in 2000 passwords) appear a message like this and interrupts all the process. I tried to click OK but it's not working...

screen shot 2018-03-17 at 20 06 25

@alemol

This comment has been minimized.

Show comment
Hide comment
@alemol

alemol Apr 6, 2018

On sierra 10.13.3 I have exactly the same error as @raywang13:

I get this error on set keychainItems to get every keychain item of keychain keychainPath on the keyword keychain
error: Expected class name but found identifier.

Is anyone else getting this error? I'm running this in ScriptEditor.

alemol commented Apr 6, 2018

On sierra 10.13.3 I have exactly the same error as @raywang13:

I get this error on set keychainItems to get every keychain item of keychain keychainPath on the keyword keychain
error: Expected class name but found identifier.

Is anyone else getting this error? I'm running this in ScriptEditor.

@lcrea

This comment has been minimized.

Show comment
Hide comment
@lcrea

lcrea May 15, 2018

@alemol

Is anyone else getting this error? I'm running this in ScriptEditor.

Yep, same error, even trying to copy the elements manually 😒
I guess it could be a new security feature of one of the latest macOS updates.

I'm starting to think that, maybe, the safest solution to backup iCloud Keychain might be to temporary disable the service. Doing so — based on what Apple says — a copy of all the passwords are saved locally on a file. Thus, we can store that file somewhere else and then re-enable the service and our backup is done.

lcrea commented May 15, 2018

@alemol

Is anyone else getting this error? I'm running this in ScriptEditor.

Yep, same error, even trying to copy the elements manually 😒
I guess it could be a new security feature of one of the latest macOS updates.

I'm starting to think that, maybe, the safest solution to backup iCloud Keychain might be to temporary disable the service. Doing so — based on what Apple says — a copy of all the passwords are saved locally on a file. Thus, we can store that file somewhere else and then re-enable the service and our backup is done.

@19wolf

This comment has been minimized.

Show comment
Hide comment
@19wolf

19wolf Jul 1, 2018

Where is said file?

19wolf commented Jul 1, 2018

Where is said file?

@dbw2018

This comment has been minimized.

Show comment
Hide comment
@dbw2018

dbw2018 Jul 20, 2018

I'm using jjennings089 last applescript dated 30. november, 2017, where I paste password records from the iCloud keychain to a new and empty keychain. I tested this on both High Sierra 10.13.5 and 10.13.6. No matter if I do this manually or use the script. I get the following two windows:

screen shot 2018-07-20 at 23 12 38

screen shot 2018-07-20 at 22 52 49

I tried to deactivate the iCloud keychain so the keychain changed to "Local Items"... same error.

I tried to manually copy from other keychains to my new keychain and that works... just can't copy from the local items/icloud keychain.

I have no trouble opening and reading the password records in the icloud/local items keychain. And they work fine in Safari.

Any ideas?

dbw2018 commented Jul 20, 2018

I'm using jjennings089 last applescript dated 30. november, 2017, where I paste password records from the iCloud keychain to a new and empty keychain. I tested this on both High Sierra 10.13.5 and 10.13.6. No matter if I do this manually or use the script. I get the following two windows:

screen shot 2018-07-20 at 23 12 38

screen shot 2018-07-20 at 22 52 49

I tried to deactivate the iCloud keychain so the keychain changed to "Local Items"... same error.

I tried to manually copy from other keychains to my new keychain and that works... just can't copy from the local items/icloud keychain.

I have no trouble opening and reading the password records in the icloud/local items keychain. And they work fine in Safari.

Any ideas?

@martijndierckx

This comment has been minimized.

Show comment
Hide comment
@martijndierckx

martijndierckx Jul 30, 2018

Same issue here ... Every password returns the same error.
Copying fails on every item.

martijndierckx commented Jul 30, 2018

Same issue here ... Every password returns the same error.
Copying fails on every item.

@scumbly

This comment has been minimized.

Show comment
Hide comment
@scumbly

scumbly Aug 18, 2018

Same issue as above 2 commenters. Haven't been able to work out a solution. High Sierra 10.13.4

scumbly commented Aug 18, 2018

Same issue as above 2 commenters. Haven't been able to work out a solution. High Sierra 10.13.4

@Nikscorp

This comment has been minimized.

Show comment
Hide comment
@Nikscorp

Nikscorp Aug 18, 2018

@dbw2018
@martijndierckx
@scumbly

Try these workarounds to make it work on last macOS versions. Works great for me in 10.13.6.

Get passwords from Safari

Get passwords from iCloud keychain directly

Nikscorp commented Aug 18, 2018

@dbw2018
@martijndierckx
@scumbly

Try these workarounds to make it work on last macOS versions. Works great for me in 10.13.6.

Get passwords from Safari

Get passwords from iCloud keychain directly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment