This is a follow-up to my blog post Updating from macOS Ventura to Sonoma silently enables iCloud Keychain. In the addendum to that blog post, I discussed a workaround, which was to delete my WiFi password right before rebooting into the updater. In a trial run on my M1 Mac mini, the workaround was successful.
Thankfully, iCloud Keychain remained disabled after I connected to WiFi again, and even after I rebooted, so this seems like a permanent solution!
The success of the trial run gave me the confidence to update my main development machine, an M1 MacBook Pro, from Ventura to Sonoma. Unfortunately, for unknown reasons, I experienced a different result the second time. As before, the workaround did successfully prevent Sonoma from connecting to my WiFi network. And as before, I confirmed in System Settings that iCloud Keychain was still disabled after the Sonoma update. However, after I finally connected to my WiFi network again, I discovered to my horror that Sonoma did then silently enable iCloud Keychain. My workaround was ultimately futile.
By the way, toggling off "Sync this Mac" caused System Settings to hang and eventually crash the preference pane, which also happened in one of my earlier trial runs. Has anybody inside Apple ever tested this scenario?
On my Mac mini already running Sonoma, I saw a new warning in System Settings, "Some iCloud Data Isn't Syncing".
Your end-to-end encrypted data stored in iCloud can't be accessed on this device. It includes saved passwords and data from Health and Maps. Verify your account information to resume syncing.
(It should be noted that I don't use Health or Apple Maps.)
Clicking the Resume Data Sync button made the warning go away and didn't enable iCloud Keychain on the Mac mini, but I don't know why I was getting the warning in the first place. I didn't see the same warning on my iPad, also signed into iCloud.
Another bit of Sonoma bugginess I experienced was a zombie keychain that could not be removed from the Keychain Access app.
What happened was that after I noticed iCloud Keychain had been silently enabled on my MacBook Pro, I copied my login (non-system) keychain from one of my Ventura backups (of course I made redundant backups before updating to Sonoma), renamed it to "Ventura", and imported it into Keychain Access for the purpose of comparing the old and new login keychains, checking for data loss or other issues. Fortunately, I found no issues, so I deleted the imported Ventura keychain from Keychain Access. Nonetheless, the next time I launched Keychain Access, I found the above zombie keychain, misplaced under System Keychains, with all menu items disabled.
I was able to solve this problem by once again copying the old keychain file from backup and putting it in the same place on disk as before. Then the next time I launched Keychain Access, the Ventura keychain appeared enabled under the correct category of Custom Keychains instead of System Keychains, and on the second try I was able to delete the keychain permanently. But wow, none of my experience here inspires confidence in Apple's software quality, especially with regard to "security".
An unpleasant side effect of updating to Sonoma—as if there weren't enough unpleasant side effects already—is that logging into App Store Connect now offers passkeys as the default rather than passwords, despite the fact that I don't have any passkeys saved and indeed cannot save any passkeys with iCloud Keychain disabled. So now there are extra steps to login, and Apple makes you login again every time Safari is relaunched, because as I've blogged about multiple times, App Store Connect is the worst web site ever made.
I'm currently working on a solution to this problem. I have noticed that the passkey option goes away if I spoof the browser User-Agent as Chrome.
You (a Borg) might ask, why don't I just "go with the flow", adopt iCloud Keychain and passkeys? (Resistance is futile. You will be assimilated.) On principle, I should not have to upload my data to Apple if I don't want. Apple advertises itself as the "privacy" company, but uploading user data to Apple's servers without notice or consent is a gross violation of privacy. I've always managed my data myself, taking personal responsibility for protecting it and backing it up. I don't want or need Apple to insert itself into this process as a remote nanny. Paternalism makes my blood boil.
Moreover, even if I wanted to use iCloud Keychain, why in the world should I trust the sync system to work correctly when faced with Apple's demonstrably poor software quality? Something else I noticed after updating to Sonoma: although I've tried many times in the past to extinguish it, the text replacement omw has once again returned, almost like a cicada.
