Mac OS X security export won't accept passphrase

I'm trying to export some items on my keychain like this:

hostname:~ username$ security export -k login.keychain -t all -P "passphrase"

but I always get this error:

security: SecKeychainItemExport: Passphrase is required for import/export

What gives?

clarification: I'm logged in via SSH.


Solution 1:

When I run

security export -t identities

I get the same error message:

security: SecKeychainItemExport: Passphrase is required for import/export.

However, if I specify a format with the -f open (and put the binary output stream into a file), it works:

security export -P testing -f pkcs12 -t identities -o test.p12

yields a file I can work with via openssl.

It looks to me like security is just using the wrong error message here, thus making it look like the feature doesn't work. It probably should be saying "You must specify a format to export private keys", or words to that effect.

The actual insight comes from this tweet.

Solution 2:

This is just broken, IMO. 'security export' behaves very badly if you try to export private keys and you log in with SSH. Same commands work when you log in from the GUI. Is this on purpose?

Depending on what you need, you might be able to work around it with 'security find-certificates' or 'security export -t certs'. It all works as long as you don't export a private key.

Solution 3:

If your passphrase has any odd symbols your shell is swallowing, try using single quotes instead of double to prevent interpolation.

security export -k login.keychain -t all -P 'passphrase'