Get key provisioning working better

src/action/darwin/create_apfs_volume.rs

@@ -79,13 +79,15 @@ impl CreateApfsVolume {
             None
         };
 
+        let name_with_qoutes = format!("\"{name}\"");
         let mount_command = if encrypt {
             vec![
                 "/bin/sh",
                 "-c",
-                "/usr/bin/security find-generic-password",
+                "/usr/bin/security",
+                "find-generic-password",
                 "-s",
-                "{name}",
+                name_with_qoutes.as_str(),
                 "-w",
                 "|",
                 "/usr/sbin/diskutil",

src/action/darwin/enable_ownership.rs

@@ -60,8 +60,7 @@ impl Action for EnableOwnership {
                     .args(["info", "-plist"])
                     .arg(&path),
             )
-            .await
+            .await?
-            .unwrap()
             .stdout;
             let the_plist: DiskUtilOutput = plist::from_reader(Cursor::new(buf)).unwrap();
 

src/action/darwin/encrypt_volume.rs

@@ -75,12 +75,14 @@ impl Action for EncryptVolume {
 
         let disk_str = disk.to_str().expect("Could not turn disk into string"); /* Should not reasonably ever fail */
 
+        execute_command(Command::new("/usr/sbin/diskutil").arg("mount").arg(&name)).await?;
+
         // Add the password to the user keychain so they can unlock it later.
-        let _password_output = execute_command(
+        execute_command(
             Command::new("/usr/bin/security").args([
                 "add-generic-password",
                 "-a",
-                disk_str,
+                name.as_str(),
                 "-s",
                 name.as_str(),
                 "-l",
@@ -109,7 +111,7 @@ impl Action for EncryptVolume {
         execute_command(Command::new("/usr/sbin/diskutil").args([
             "apfs",
             "encryptVolume",
-            disk_str,
+            name.as_str(),
             "-user",
             "disk",
             "-passphrase",
@@ -117,6 +119,14 @@ impl Action for EncryptVolume {
         ]))
         .await?;
 
+        execute_command(
+            Command::new("/usr/sbin/diskutil")
+                .arg("unmount")
+                .arg("force")
+                .arg(&name),
+        )
+        .await?;
+
         tracing::trace!("Encrypted volume");
         *action_state = ActionState::Completed;
         Ok(())
@@ -135,17 +145,40 @@ impl Action for EncryptVolume {
     ))]
     async fn revert(&mut self) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
         let Self {
-            disk: _,
+            disk,
-            name: _,
+            name,
             action_state,
         } = self;
         if *action_state == ActionState::Uncompleted {
-            tracing::trace!("Already reverted: Unencrypted volume (noop)");
+            tracing::trace!("Already reverted: Unencrypted volume");
             return Ok(());
         }
-        tracing::debug!("Unencrypted volume (noop)");
+        tracing::debug!("Unencrypted volume");
 
-        tracing::trace!("Unencrypted volume (noop)");
+        let disk_str = disk.to_str().expect("Could not turn disk into string"); /* Should not reasonably ever fail */
+
+        // TODO: This seems very rough and unsafe
+        execute_command(
+            Command::new("/usr/bin/security").args([
+                "delete-generic-password",
+                "-a",
+                name.as_str(),
+                "-s",
+                name.as_str(),
+                "-l",
+                format!("{} encryption password", disk_str).as_str(),
+                "-D",
+                "Encrypted volume password",
+                "-j",
+                format!(
+                    "Added automatically by the Nix installer for use by {NIX_VOLUME_MOUNTD_DEST}"
+                )
+                .as_str(),
+            ]),
+        )
+        .await?;
+
+        tracing::trace!("Unencrypted volume");
         *action_state = ActionState::Completed;
         Ok(())
     }