1

I configured S/MIME encryption and signing for Mail on macOS Monterey 12.2.

Even when I'm not trying to do any sort of crypto operation, I get a prompt reading "macOS wants to make changes. Enter an administrator's name and password to allow this." as pictured below. Then it asks again, and again, and again until I've helped it sort out probably every crypto operation needed for every S/MIME-encrypted/signed message in my mailbox.

A prompt that reads "macOS wants to make changes. Enter an administrator's name and password to allow this."

Is it possible to have it prompt just once per Mail session? Or just never again?

AJAr
  • 113
  • 5

2 Answers2

4

This issue can occur when your personal S/MIME certificate and private key have been stored in the system keychain instead of your login keychain.

Why this happens

The Mail app needs access to your private key to decrypt messages, but it cannot access the system keychain without an administrator's consent, and - for good reasons - it is not possible to allow permanent access.

How to fix it

  1. Open the Keychain Access app and search for your S/MIME certificate
  2. Export the certificate and its private key to a p12 file
  3. Delete the certificate and key form the system keychain
  4. Select the login keychain
  5. Import the p12 file
  6. Make sure the certificate and private key are now in the login keychain
  7. Quit and re-open the Mail app
  8. You will now be asked to allow access to the login keychain which you should "Always allow"

Quit and re-open the Mail app to verify it's fixed. There should be no more requests.

As an alternative, it may be possible to simply move the certificate and key from the system keychain to the login keychain. I haven't tried that though. Perhaps you may want to try that first and leave feedback if it worked.

HTH!

not2savvy
  • 521
  • 1
  • 4
  • 17
1

(Edit: caution, this introduces a stupid security issue as pointed out by @not2savvy in the comments below. Stay with the Accepted Answer and you're good.)

What worked for me is to locate the private key in question in the System keychain and explicitly allow access to the respective app. In your case that would be "Mail", in mine, it is Outlook. After a sole, last confirmation of username & password it never asked me again when using it via Outlook.

screenshot of system keychain

Adrian Föder
  • 111
  • 3
  • 1
    Beware that this can enable other admin users on your Mac to access your private key. Therefore, it's better to keep *you personal* private key in *your personal* keychain. – not2savvy Jul 07 '22 at 07:12
  • Does this solution survive a reboot, i.e. it's still not asking for the password even after a system restart? I would guess it does when you select *Confirm before allowing access*, doesn't it? – not2savvy Jul 07 '22 at 07:14