Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

macos: always pass -a "${VOLUME}" and -s "Nix Store" #1236

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

macos: always pass -a "${VOLUME}" and -s "Nix Store" #1236

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c206cd7
encrypt_apfs_volume: always pass `-a "${VOLUME}"` and `-s "Nix Store"`
hispirus Oct 17, 2024
efc3eb6
create_volume_service: always pass `-a "${VOLUME}"` and `-s "Nix Store"`
hispirus Oct 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/action/macos/create_volume_service.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -258,7 +258,7 @@ async fn generate_mount_plist(
// The official Nix scripts uppercase the UUID, so we do as well for compatibility.
let uuid_string = uuid.to_string().to_uppercase();
let mount_command = if encrypt {
let encrypted_command = format!("/usr/bin/security find-generic-password -s {apfs_volume_label_with_quotes} -w | /usr/sbin/diskutil apfs unlockVolume {apfs_volume_label_with_quotes} -mountpoint {mount_point:?} -stdinpassphrase");
let encrypted_command = format!("/usr/bin/security find-generic-password -a {apfs_volume_label_with_quotes} -s \"Nix Store\" -w | /usr/sbin/diskutil apfs unlockVolume {apfs_volume_label_with_quotes} -mountpoint {mount_point:?} -stdinpassphrase");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if instead we should pass the label here as well?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm I suppose your thinking here is the Service is "nix store" and the "account" is this particular store. That makes sense.

@cole-h I wonder if we need to similarly update where we create / store the password?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at the generic-password occurrences in plan() and execute(), they're already set up as proposed in this PR, so no change is necessary. This simply aligns the behavior of revert() and, arguably more importantly, generate_mount_plist(), so mounting the volume immediately after creating it actually works.

Passing the label for both is what revert() is doing prior to this change, so you could say there is precedent in either direction. I suspect it doesn't much matter which way the cat is skinned as long as it's consistent.

The explicit mention of Nix emphasizes that this isn't some generic encrypted volume, but one managed by Nix and nix-installer. It also looks a bit more polished in Keychain Access.

There shouldn't be any more generic-password calls in the tree unless GitHub search isn't as thorough as I imagine.

I hope this answers your questions!

vec!["/bin/sh".into(), "-c".into(), encrypted_command]
} else {
vec![
Expand Down
2 changes: 1 addition & 1 deletion src/action/macos/encrypt_apfs_volume.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,7 +251,7 @@ impl Action for EncryptApfsVolume {
"-a",
self.name.as_str(),
"-s",
self.name.as_str(),
"Nix Store",
"-l",
format!("{} encryption password", disk_str).as_str(),
"-D",
Expand Down
Loading