Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

macos: always pass -a "${VOLUME}" and -s "Nix Store" #1236

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

hispirus
Copy link

Description

/usr/bin/security {add,find,delete}-generic-password accepts both -a account and -s service parameters as password lookup keys. Always pass -a "${VOLUME}" and -s "Nix Store". With this change, installation succeeds even with --encrypt set to true and --volume-label set to any value deviating from Nix Store.

Checklist
  • Formatted with cargo fmt
  • Built with nix build
  • Ran flake checks with nix flake check
  • Added or updated relevant tests (leave unchecked if not applicable)
  • Added or updated relevant documentation (leave unchecked if not applicable)
  • Linked to related issues (leave unchecked if not applicable)
Validating with install.determinate.systems

If a maintainer has added the upload to s3 label to this PR, it will become available for installation via install.determinate.systems:

curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix/pr/$PR_NUMBER | sh -s -- install

`/usr/bin/security {add,find,delete}-generic-password` accepts both `-a account` and `-s service` parameters as password lookup keys. Always pass `-a "${VOLUME}"` and `-s "Nix Store"`. With this change, installation succeeds even with `--encrypt` set to `true` and `--volume-label` set to any value deviating from `Nix Store`.
`/usr/bin/security {add,find,delete}-generic-password` accepts both `-a account` and `-s service` parameters as password lookup keys. Always pass `-a "${VOLUME}"` and `-s "Nix Store"`. With this change, installation succeeds even with `--encrypt` set to `true` and `--volume-label` set to any value deviating from `Nix Store`.
@@ -258,7 +258,7 @@ async fn generate_mount_plist(
// The official Nix scripts uppercase the UUID, so we do as well for compatibility.
let uuid_string = uuid.to_string().to_uppercase();
let mount_command = if encrypt {
let encrypted_command = format!("/usr/bin/security find-generic-password -s {apfs_volume_label_with_quotes} -w | /usr/sbin/diskutil apfs unlockVolume {apfs_volume_label_with_quotes} -mountpoint {mount_point:?} -stdinpassphrase");
let encrypted_command = format!("/usr/bin/security find-generic-password -a {apfs_volume_label_with_quotes} -s \"Nix Store\" -w | /usr/sbin/diskutil apfs unlockVolume {apfs_volume_label_with_quotes} -mountpoint {mount_point:?} -stdinpassphrase");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if instead we should pass the label here as well?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm I suppose your thinking here is the Service is "nix store" and the "account" is this particular store. That makes sense.

@cole-h I wonder if we need to similarly update where we create / store the password?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at the generic-password occurrences in plan() and execute(), they're already set up as proposed in this PR, so no change is necessary. This simply aligns the behavior of revert() and, arguably more importantly, generate_mount_plist(), so mounting the volume immediately after creating it actually works.

Passing the label for both is what revert() is doing prior to this change, so you could say there is precedent in either direction. I suspect it doesn't much matter which way the cat is skinned as long as it's consistent.

The explicit mention of Nix emphasizes that this isn't some generic encrypted volume, but one managed by Nix and nix-installer. It also looks a bit more polished in Keychain Access.

There shouldn't be any more generic-password calls in the tree unless GitHub search isn't as thorough as I imagine.

I hope this answers your questions!

@hispirus hispirus mentioned this pull request Dec 3, 2024
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants