Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
Re: "Access to this item is restricted"
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "Access to this item is restricted"



Sounds like Keychain Access (which would have been touched as part of the 10.6.2 update) was not installed correctly, causing its code signature to be incorrect. If an application is code signed and its signature is broken (does not match the installed contents), then it is prevented from getting access to keychain items. You said that the items themselves seem to work, i.e. other apps can access them, which means that there is nothing wrong with those apps or the keychain itself.

Try this on the command line to verify whether Keychain Access has a valid signature:
$ codesign -vvv /Applications/Utilities/Keychain\ Access.app

-ken

On Nov 14 2009 01:56 PM, Jeremy Reichman wrote:
> I've got a keychain that no longer allows me to view the passwords of stored
> keys. This was working for me under Mac OS X 10.6.1 but after an update to
> 10.6.2, I now get "Access to this item is restricted" warnings on every
> keychain item whose password I've tried to view (clicking on the "Show
> password" checkbox).
>
> I'd welcome any thoughts on resolving this issue, which I'll describe
> further below.
>
> I see there are threads about the restricted access warning on Apple
> Discussions and elsewhere. There don't seem to be any good solutions other
> than deleting all of the keys and re-adding, or troubleshooting MobileMe
> sync (which I don't use). I'd rather avoid nuke and pave because the
> keychain dates back to early Mac OS X. I do have backups but due to new
> items added since the last backup, I'd prefer to recover the existing
> keychain. Plus, it's a challenge! :)
>
> >From my logs ('All Messages') I've pulled out two lines of possible
> interest.
>
> 11/13/2009 xx:yy PM    com.apple.systemkeychain[23]    dyld: shared cached
> file was build against a different libSystem.dylib, ignoring cache
> 11/13/2009 xx:yy PM    loginwindow[30]    ERROR | -[LWKeychainSupport
> unlockLoginKeychain] | Unable to unlock the keychain, SecKeychainLogin
> returned -25293
>
> I don't see any other errors. I've already run 'update_dyld_shared_cache'
> and rebooted, just for good measure.
>
> $ sudo update_dyld_shared_cache
>
> After the 10.6.2 upgrade, my default keychain was reset from the one I'd
> previously had defined (the old-style one named with the short username) to
> the 'login' keychain. I've set the prior default keychain up as the default
> again, also rebooting and logging back in.
>
> Another data point: I am apparently unable to change the Access Control
> settings for keychain items. I change them, save the changes (sometimes
> multiple times), and when that keychain item is reopened, I see the previous
> access controls.
>
> The access controls themselves show the apps and settings I'd expect based
> on the keychain item I'm looking at.
>
> The keychain items themselves seem to work even though I can't show the
> associated password. I can still log in with credentials stored in the
> keychain after I answer the relevant prompts.
>
> A wrinkle is that the 10.6.2 upgrade was done through a client management
> tool that without running the package installer. Therefore, none of the
> package scripts would have run. (An obvious next step to me is to run the
> 10.6.2 package installer to see if that makes a difference.) The upgrade to
> 10.6.2 may or may not have been related, but it did happen between the time
> the keychain worked and when it stopped allowing me to show passwords.
>
> Any thoughts on what may have gone wrong and whether it is fixable? Thanks
> in advance!
>
>
> --
> Jeremy
>
>
>  _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Apple-cdsa mailing list      (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

References: 
 >"Access to this item is restricted" (From: Jeremy Reichman <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.