Closed haircut closed 6 years ago
MScottBlake
commented
6 years ago Since the script itself is changing the key, I feel like it would be more reliable to check the modification date of that file before and after the change and then just compare the values. Of course, we'd need to handle the case where the file doesn't exist, but that's also trivial.
Anyone see an issue with the logic or maybe come up with something better?
smashism
commented
6 years ago For what it's worth, here are some log entries when trying to run the script as-is on a 10.13 machine:
2017-09-21 10:14:56.128409-0500 0xc973 Default 0x0 5509 0 fdesetup: [com.apple.ManagedClient.ManagedClient] fdesetup:removePersonalRecoveryKey unable to find and remove personal recovery user; error: -69594 2017-09-21 10:14:56.128495-0500 0xc973 Default 0x0 5509 0 fdesetup: [com.apple.ManagedClient.ManagedClient] fdesetup:changePersonalRecoveryKey unable to remove existing recovery key. This may be ok if you werent expecting one. error: -69594 (Unable to remove personal recovery key record) 2017-09-21 10:14:56.384146-0500 0xc973 Default 0x0 5509 0 fdesetup: [com.apple.ManagedClient.ManagedClient] fdesetup:changePersonalRecoveryKey unable to create personal recovery user; error: 5103 (
)
haircut
commented
6 years ago @MScottBlake 's suggestion is much better. I'll work on a fork.
haircut
commented
6 years ago One method using @MScottBlake's suggestion at https://github.com/haircut/jss-filevault-reissue/commit/f771b4f4468986ff00bf2022c13fae162ff0c676
The output of
fdesetup changerecoveryhas changed in 10.13 such that "Escrowing recovery key..." (L225) is no longer a valid indicator that escrow is occurring. This script will fail on 10.13 and produce an invalid error message.I'd suggest a change to the logic to instead check for a recent modification to
/var/db/FileVaultPRK.dat, which indicates the recovery key has been updated. The following command will determine the number of minutes since last modification of this file:expr $(expr $(date +%s) - $(stat -f "%Sm" -t "%s" /var/db/FileVaultPRK.dat)) / 60If this is less than some arbitrary value – say, 5 (minutes) – we can reasonably assume the recovery key is changed and the script was successful.
At it's core, this is no less confirmation than was provided by grepping for "
Escrowing recovery key..." since that did not indicate success – only an attempt.I'm happy to make the changes and send a PR if this seems like a reasonable solution.