From 1fd127a06833c19a5a2965bd41cf4f695773cca6 Mon Sep 17 00:00:00 2001
From: "Travis A. Everett" <travis.a.everett@gmail.com>
Date: Fri, 18 Feb 2022 23:15:37 -0600
Subject: [PATCH 1/2] install-darwin: fix mount permission edge-case

Fixes #6122, which reports a problem with trying to run the installer
under another user (probably: user is not the disk "owner" and thus
can't mount the volume).
---
 scripts/create-darwin-volume.sh | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/scripts/create-darwin-volume.sh b/scripts/create-darwin-volume.sh
index bd8a7ee3a..ece4f29bb 100755
--- a/scripts/create-darwin-volume.sh
+++ b/scripts/create-darwin-volume.sh
@@ -685,22 +685,27 @@ encrypt_volume() {
     local volume_uuid="$1"
     local volume_label="$2"
     local password
+
+    task "Encrypt the Nix volume" >&2
+
     # Note: mount/unmount are late additions to support the right order
     # of operations for creating the volume and then baking its uuid into
     # other artifacts; not as well-trod wrt to potential errors, race
     # conditions, etc.
 
-    /usr/sbin/diskutil mount "$volume_label"
+    _sudo "to mount your Nix volume for encrypting" \
+        /usr/sbin/diskutil mount "$volume_label"
 
     password="$(/usr/bin/xxd -l 32 -p -c 256 /dev/random)"
     _sudo "to add your Nix volume's password to Keychain" \
         /usr/bin/security -i <<EOF
 add-generic-password -a "$volume_label" -s "$volume_uuid" -l "$volume_label encryption password" -D "Encrypted volume password" -j "Added automatically by the Nix installer for use by $NIX_VOLUME_MOUNTD_DEST" -w "$password" -T /System/Library/CoreServices/APFSUserAgent -T /System/Library/CoreServices/CSUserAgent -T /usr/bin/security "/Library/Keychains/System.keychain"
 EOF
-    builtin printf "%s" "$password" | _sudo "to encrypt your Nix volume" \
+    builtin printf "%s" "$password" | _sudo "to actually encrypt your Nix volume" \
         /usr/sbin/diskutil apfs encryptVolume "$volume_label" -user disk -stdinpassphrase
 
-    /usr/sbin/diskutil unmount force "$volume_label"
+    _sudo "to unmount the encrypted volume" \
+        /usr/sbin/diskutil unmount force "$volume_label"
 }
 
 create_volume() {

From ba9a8c4b3d0f8f008a2067e26e89d6165d14c814 Mon Sep 17 00:00:00 2001
From: "Travis A. Everett" <travis.a.everett@gmail.com>
Date: Tue, 22 Feb 2022 12:44:15 -0600
Subject: [PATCH 2/2] install-darwin: track mount permission edge-case fix

Same as 1fd127a06833c19a5a2965bd41cf4f695773cca6, but applied to a
code path (volume_pass_works -> verify_volume_pass) that the reporting
user didn't hit and wasn't able to trigger manually. I am not certain
but I suspect it will be easier to add prophylactically than to debug
if its absence causes trouble some day.
---
 scripts/create-darwin-volume.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/create-darwin-volume.sh b/scripts/create-darwin-volume.sh
index ece4f29bb..4bac4b7ba 100755
--- a/scripts/create-darwin-volume.sh
+++ b/scripts/create-darwin-volume.sh
@@ -246,7 +246,8 @@ get_volume_pass() {
 verify_volume_pass() {
     local volume_special="$1" # (i.e., disk1s7)
     local volume_uuid="$2"
-    /usr/sbin/diskutil apfs unlockVolume "$volume_special" -verify -stdinpassphrase -user "$volume_uuid"
+    _sudo "to confirm the password actually unlocks the volume" \
+        /usr/sbin/diskutil apfs unlockVolume "$volume_special" -verify -stdinpassphrase -user "$volume_uuid"
 }
 
 volume_pass_works() {