How can I remove a keychain that won't delete?

keychain security

I have a rogue keychain called Sophos.keychain. I uninstalled Sophos, but this pesky keychain won't go away. The reason I need it removed is Adobe's apps are trying to use it and it is causing errors.

When I log in as root, I see the keychain in the Keychain Access app, but I cannot delete it. There is a small icon on the keychain file icon that looks like a user icon (maybe).

When I am logged in as my normal admin account, I cannot see this Sophos keychain file.

As root, I have also tried deleting it via command line using security list-keychains and then security delete-keychain with the path to the Sophos.keychain file. Nothing seems work.

Sophos will not assist as I was using the free version. Googling how to remove it leads to dead ends. Apple has also been useless.

When I login as root, I get these errors:error messages

Clicking on Reset to Defaults, and putting in the password doesn't seem to do anything.

I am on Big Sur 11.5.2

Any ideas how I can remove this keychain file?


Solution 1:

[I would just comment, but I don't have enough reputation points.] You didn't say which version of macOS you're using, or if you actually got an error message when trying to delete the keychain from within the Keychain Access utility. Years ago, I created a private keychain file to keep all my secure notes separate from my login.keychain (and a different password is required to open it). That resulted in a file called <private keychain name>.keychain being created in the ~/Library/Keychains folder. That file is still there to this day, and gets updated every time I modify the private keychain. Nowadays, there is also a <private keychain name>.keychain-db file in the same directory. Try to find your Sophos.keychain file(s) in a similar location on your system, and delete it/them using Finder or Terminal (perhaps make compressed copies in case you need to recover). Please note, I have not tried this myself... [On reading @juandesant's answer, I defer to his suggestion.]

Solution 2:

This question seemed to contain the key to the answer:

To fix this you have to manually edit the file /Library/Preferences/com.apple.security-common.plist as root, and delete the corresponding hardcoded <dict>...Sophos...</dict> entry in there. Great care must be taken because you can totally screw up đź‘Ž your system(-keychain) if you leave any errors inside this .plist file. The section that needs to be deleted looks as follows:

 ...
 <dict>
     <key>DbName</key>
     <string>/Library/Sophos Anti-Virus/Sophos.keychain</string>
     <key>GUID</key>
     <string>{some UUID string here}</string>
     <key>SubserviceType</key>
     <integer>6</integer>
 </dict>
 ...

However, there your setup, as indicate in the comments, was somewhat different, and required finding the right file.

The relevant file path was found to be /private/var/root/Library/Preferences/com.apple.security.plist

Related

Synonym of shocking/risqué
The pronunciation of sciurine (pertaining to squirrels)
A comparative clause without a subject
Word or a short phrase to describe a person who is socially responsible
"absent in" or "absent from": word usage and prepositions
The attachment has "already been sent" or has "been already sent"?
” 'it' was him”. Why do we use 'it' when referring to a person by this object pronoun (him)? [duplicate]
The meaning of "if any"
Is there a term for when fiction refers to fiction
Why isn't "compulse" a word?
Can you use "the" with proper names in the posessive case?
Are the names of historic events treated as proper nouns?