fixup! set service of keychain entry to volume uuid

NixOS · Oct 25, 2020 · 0c565a2 · 0c565a2
1 parent 97d946a
commit 0c565a2
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/scripts/create-darwin-volume.sh b/scripts/create-darwin-volume.sh
@@ -94,14 +94,15 @@ EOF
 }
 
 prepare_darwin_volume_password(){
-    sudo /usr/bin/expect -f - "$1" << 'EOF'
+    sudo /usr/bin/expect -f - "$1" "$2" << 'EOF'
 log_user 0
 set VOLUME [lindex $argv 0];
+set UUID [lindex $argv 1];
 set PASSPHRASE [exec /usr/bin/ruby -rsecurerandom -e "puts SecureRandom.hex(32)"]
 
 # Cargo culting: people recommend this; not sure how necessary
 set send_slow {1 .1}
-spawn /usr/bin/sudo /usr/bin/security add-generic-password -a "$VOLUME" -D "$VOLUME encryption password" -U -w
+spawn /usr/bin/sudo /usr/bin/security add-generic-password -a "$VOLUME" -s "$UUID" -D "$VOLUME encryption password" -U -w
 expect {
     "password data for new item: " {
         send -s -- "$PASSPHRASE\r"
@@ -186,6 +187,7 @@ main() {
         echo "Creating a Nix volume..." >&2
 
         sudo diskutil apfs addVolume "$disk" APFS "$volume" -mountpoint /nix
+        new_uuid="$(volume_uuid "$volume")"
 
         if [ "$INSTALL_MODE" = "no-daemon" ]; then # exported by caller
             # TODO: is there a better way to do this?
@@ -203,7 +205,7 @@ main() {
             # can tell, the file with this password (/var/db/SystemKey) is
             # inside the FileVault envelope. If that isn't true, it may make
             # sense to store the password inside the envelope?
-            sudo /usr/bin/security add-generic-password -a "$volume" -s "$(volume_uuid "$volume")" -D "$volume encryption password" -j "Added automatically by the Nix installer for use by /Library/LaunchDaemons/org.nixos.darwin-store.plist" "/Library/Keychains/System.keychain"
+            sudo /usr/bin/security add-generic-password -a "$volume" -s "$new_uuid" -D "$volume encryption password" -j "Added automatically by the Nix installer for use by /Library/LaunchDaemons/org.nixos.darwin-store.plist" "/Library/Keychains/System.keychain"
             # TODO: decide if we should add `-T /System/Library/CoreServices/APFSUserAgent`
             # This should let the system seamlessly supply the password for this volume
             # which in turn means the fstab entry is enough for the system to (eventually)
@@ -214,7 +216,7 @@ main() {
 
             # 2. add a password with the -U (update) flag and -w (prompt if last)
             #    flags, but specify no keychain; security will use the first it finds
-            prepare_darwin_volume_password "$volume" | sudo diskutil apfs encryptVolume "$volume" -user disk -stdinpassphrase
+            prepare_darwin_volume_password "$volume" "$new_uuid" | sudo diskutil apfs encryptVolume "$volume" -user disk -stdinpassphrase
         fi
     else
         echo "Using existing '$volume' volume" >&2