security: SecKeychainItemImport: The user name or passphrase you entered is not correct.

Question

Created Sep ’24

Replies 6

Boosts 4

Views 1.3k

Participants 3

I exported the pkcs12 file which contains the Apple Distribution Certificate with the Private Key on macOS 14 Sonoma with no password.

I was able to import the same on different macOS 14 Sonoma machines as follows:

security import \
  apple-distribution-hrk.p12 \
  -k /Users/hrk/Library/Keychains/non-default.keychain-db \
  -f pkcs12 \
  -P "" \
  -A

But when upgraded to macOS 15 Sequoia, running the above command gives me the following error:

security: SecKeychainItemImport: The user name or passphrase you entered is not correct.

Workaround:

I didn't have the Private Key of the original macOS 14 Sonoma from which the pkcs12 file was exported.

So, I had to create the new Certificate by uploading the Certificate Signing Request, download the .cer file, import it, and then export the pkcs12 file with some password.

Then I was able to import the pkcs12 file with the password.

Question

Can somebody point to the official documentation that refers to this Breaking Change?

Or is this the bug in macOS 15 Sequoia?

Answered by DTS Engineer in 805371022

Or is this the bug in macOS 15 Sequoia?

Well, it is from your perspective, and that’s all that really matters here. I commend that you file a bug about this. Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Sep ’24

Recommended

Or is this the bug in macOS 15 Sequoia?

Well, it is from your perspective, and that’s all that really matters here. I commend that you file a bug about this. Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

hrishikesh-kadam OP

Sep ’24

@DTS Engineer Thanks for the quick response.

Filed the Feedback: FB15250516.

0

Answer 3

DTS Engineer OP

Apple

Sep ’24

Thanks.

Can you attach an example .p12 to your bug? That’s likely to be useful for the investigation.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

hrishikesh-kadam OP

Sep ’24

@DTS Engineer As the pkcs12 file contains the Private Key + Certificate, I would only share it if asked on the FB15250516.

Even thought the Certificate has been revoked, I am not sure if it is still the Private information that should not be shared.

Also, this behaviour is not specific to that particular pkcs12 file but any pkcs12 exported with no password.

2

Answer 5

RimiX OP

May ’25

Any updates on the bug ? Same issue.

Sequoia 15.4.1 (24E263) OpenSSL 3.4.0

Steps for repoducing:

Create .p12 without password

openssl genpkey -algorithm RSA -out private_key.pem

openssl req -new -key private_key.pem -out csr.pem

openssl x509 -req -days 365 -in csr.pem -signkey private_key.pem -out certificate.pem

openssl pkcs12 -export -out bundle.p12 -inkey private_key.pem -in certificate.pem

Import .p12 to a keychain

import "bundle.p12" "-k" "login.keychain" "-T" "/usr/bin/codesign" "-P" ""

And voila you've got the bug: security: SecKeychainItemImport: MAC verification failed during PKCS12 import (wrong password?)

0

Answer 6

RimiX OP

May ’25

security -v import bundle.p12 -k login.keychain -T /usr/bin/codesign -P ""

https://1drv.ms/u/c/de13bcdacf228c88/ER4DNppbQQRMlY4tzawZ1s8BNLNcbEnuf54lLUOL1oD-Dg

0