I was setting up a new user on a laptop recently and every time I rebooted the machine, I had to re-enter the wifi password. Aside from being really irritating, there was clearly something wrong.
The Mac was running macOS High Sierra, or possibly Mojave – and Keychain Access had long since removed Keychain First Aid. I tried a few other things, and then in desperation, I tried to delete the System.keychain from /Library/Keychains.
Even as root, I was unable to delete, rename, or do anything at all with the System keychain. I couldn’t use Keychain Access to create, modify or delete items in the Keychain and I couldn’t rename or delete the System.keychain file.
As it turns out, somehow the System.keychain file ended up with the restricted flag on it. This file flag was introduced with SIP and while one way of removing it would be to disable SIP altogether, there is an easier way – although it still involves booting into Recovery mode. While there are other aspects of SIP that you can’t even modify when booted into Recovery mode, the restricted flag only protects files and folders on the currently booted partition.
Reboot the Mac, and before you see the Apple logo appear, hold down ⌘+R to enter Recovery mode.
Once you’re in the Recovery system, go to Utilities > Terminal
Then type in (assuming your hard disk is called Macintosh HD)
cd /Volumes/Macintosh\ HD/Library/Keychains/ ls -aOl
(that’s ell, ess, space, hyphen, ay, capital Oh, lower-case ell)
On my, currently functioning, system I see the following
[kai@Kais-Mac-mini /Library/Keychains]$ ls -aOl total 1296 drwxr-xr-x 9 root wheel - 288 15 Aug 15:40 . drwxr-xr-x+ 65 root wheel sunlnk 2080 12 Jun 17:02 .. -r--r--r--@ 1 root wheel - 0 21 Nov 2018 .fl043D1EDD -r--r--r-- 1 root wheel - 0 4 Nov 2018 .fl947E1BDB drwxr-xr-x 3 root wheel - 96 19 Aug 11:42 SupplementalsAssets -rw-r--r-- 1 root wheel - 483432 15 Aug 15:40 System.keychain -rw-r--r--@ 1 root wheel - 38728 27 Jun 10:49 apsd.keychain drwxr-xr-x 6 root wheel - 192 19 Aug 13:55 crls -rw-r--r-- 1 root wheel - 81920 10 Apr 16:39 pinningrules.sqlite3
That’s pretty much how it should look. On the broken system I was working with, the System.keychain file was showing up as restricted, like so:
-rw-r--r-- 1 root wheel restricted 483432 15 Aug 15:40 System.keychain
From there it was simple to change the flags to remove the restricted flag:
chflags norestricted System.keychain
After this, run a quick ls again to check the flag has been removed (you’ll see a hyphen in the column for flags) and then reboot.
You haven’t had to disable SIP, so you don’t need to remember to re-enable it. After you’ve rebooted, you can then use the System keychain as normal, including saving your wifi credentials to it.