Closed
Description
One-line Description
PC throws an error w/ dialog on startup re: the keychain on Mac OS X 10.11
Broader Description
On occasion, Package Control starts up at the beginning of a ST3 startup and displays an error of the form:
Package Control
Error executing: /usr/bin/security dump-trust-settings -d
SecTrustSettingsCopyTrustSettings: The specified item could not be found in the keychain.
...
...
Replication / regression
It happens at startup but not every startup. Difficult to replicate but I'm presuming you know where this work is being done. Furthermore- I just noticed a PC upgrade. So I have upgraded to see if this fixes this problem.
Happens across 2x machines at least, both running El Cap/10.11 and shared preferences / configuration via Dropbox
Relevant configuration notes
Mac Book Pro Retina + Mac Pro
Mac OS X 10.11 GM
ST3 3095
PC 3.1.0
Activity
wbond commentedon Sep 23, 2015
Package Control only dumps the trust settings about once a week since it can take a few seconds to do so. This is most likely why you only see it occasionally.
I've been working on a bunch of other, mostly unrelated crypto code that deals with dumping these trust settings also, albeit without launching a subprocess, but instead using the OS X APIs. It may make more sense to switch over to that code since it is more well tested and would not suffer from the perils of scraping command line tool output.
Just incase anyone is reading and wants to know the direction am considering, please see https://github.com/wbond/oscrypto/blob/master/oscrypto/_osx/trust_list.py#L21-L140.
wbond commentedon Sep 23, 2015
I should also note, it appears that this output is likely caused because "custom" trust settings exist for one or more certs in your system keychain.
flipphillips commentedon Sep 23, 2015
Indeed there is something 'up' with my keychain there. Curious.
musashinm commentedon Oct 1, 2015
Same here.
fabienbellanger commentedon Oct 8, 2015
I have the same problem
ashokfernandez commentedon Oct 8, 2015
+1
zhanghan177 commentedon Oct 9, 2015
+1 Appears after upgrading to os x 10.11
alana314 commentedon Oct 9, 2015
I'm seeing it too in El Capitan. Could it be the SIP settings limiting /usr/bin?
dadaclonefly commentedon Oct 9, 2015
+1 after upgrading OS X 10.11
tylerhellner commentedon Oct 10, 2015
+1 after upgrading to OS X 10.11
Full message:
mrexodia commentedon Oct 10, 2015
What worked for me was to remove all certificates shown when you execute
/usr/bin/security dump-trust-settings -d(mine was expired is why I tried).When re-adding the HTTPS certificate using Safari everything worked again.
My console output:
It might have to do with the updated root certificates in El Capitan.
GTE CyberTrust Global Rootis no longer a certificate authority (see here). However, I don't know much about certificate authorities and stuff so I don't know if this is the real reason.tzm41 commentedon Oct 15, 2015
harshal-gajare commentedon Oct 15, 2015
I am getting this error as well
Mac OS X 10.11
Package Control
Error executing: /usr/bin/security dump-trust-settings -d
SecTrustSettingsCopyTrustSettings: The specified item could not be found in the keychain.
SecTrustSettingsCopyTrustSettings: The specified item could not be found in the keychain.
Number of trusted certs = 3
Cert 0: SAP Passport CA
Number of trust settings : 2
Trust Setting 0:
Policy OID : Apple X509 Basic
Allowed Error : CSSMERR_TP_CERT_EXPIRED
Result Type : kSecTrustSettingsResultTrustRoot
Trust Setting 1:
Allowed Error : CSSMERR_TP_CERT_EXPIRED
Result Type : kSecTrustSettingsResultTrustRoot
Cert 1: GTE CyberTrust Global Root
Cert 2: Class 3 Public Primary Certification Authority
VCS-based packages can be ignored with the "ignore_vcs_packages" setting.
davidsouza commentedon Oct 15, 2015
+1
22 remaining items
davidhq commentedon Oct 24, 2015
Maybe there has been enough of +1s on this thread :) The message has gotten accross :D
imcom commentedon Oct 25, 2015
+1 Appears after upgrading to os x 10.11
inopinatus commentedon Oct 25, 2015
+1 and mostly I want to know if this breaks anything.
urda commentedon Oct 25, 2015
I'm going to echo what @davidhq said, we've got enough +1's for now, and @wbond has recognized this issue.
tatygrassini commentedon Oct 26, 2015
+1
badabam commentedon Oct 27, 2015
+1
goiwai commentedon Oct 28, 2015
+1
cfc4n commentedon Oct 28, 2015
+1
marcjohlic commentedon Oct 29, 2015
+1 ST3, El Capitan etc
manuelmeurer commentedon Oct 29, 2015
Seriously, guys, please stop it with the +1s! It gets really annoying for people like me who subscribed to updates from this ticket... @wbond already responded that he is working on this! 😄
wbond commentedon Jun 14, 2016
Here is the current work to be done: wbond/oscrypto#15
wbond commentedon Jul 29, 2016
be747b9 replaces the old trust list export code with new code from oscrypto. There will be a new release in the near future that includes this.