macOS Catalina support

[galaxy4public]

BootUnlock package fails to install on macOS Catalina. All steps up to the selection of the encrypted volumes are fine, but once the encrypted volumes are selected (even if it just one) there is no prompt for unlocking password.

[galaxy4public]

OK, I did some analysis and the issue has two facets, actually:

1. The update.sh script is trying to "borrow" the disk icon from the "Disk Utility" app, but the corresponding osascript call (path to "apps") no longer works. Any attempt to get a path to the new location of "Disk Utility" (which is now in /System/Applications) ends up with a nag dialog which would confuse the end user. Not something I want to do for just presenting an icon.

2. macOS Catalina in comparison to Mojave is now pre-creating the parent folder for the user homes (e.g. if your user account is user with the home directory set to /Volumes/Home/user the /Volumes/Home directory will be pre-created before BootUnlock is run). So, when BootUnlock process is run there is an already existing directory with the name of the home volume, so BootUnlock mounts the volume by appending 1 to the name (e.g. /Volumes/Home 1) - obviously this renders the whole idea non-operational.

The biggest problem is the latter and unless I figure out how to either suppress the creation of the parent directory or find a way how to run BootUnlock before that creation of the directory there will be no macOS support for having your encrypted volumes for home directories -- and this is the whole purpose of this package. :(

If anyone has any ideas re: how to handle this -- please don't hesitate to comment here.

[juanjonol]

Hi!

I had your second issue in Unlock-Redux too. This was an Apple bug, and was fixed in macOS Catalina beta 3.

Good luck!

[galaxy4public]

@juanjonol, thanks! I actually raised a bug report with Apple the moment I discovered the issue, so chances are I contributed to the resolution. Since Catalina was released on Oct 07, 2019 -- I am currently installing it to see whether it was indeed resolved the way I expect.

[galaxy4public]

Confirmed with the release of Catalina Apple fixed the issue with auto-creating mount points. However, the osascript dialogs are all messed up and the icon is the least issue. I was able to install the latest release of BootUnlock and then manually add entries for my external drives -- this worked. Need to fix the UI now.

[ClayStudio]

I want to encrypt my Catalina setup and since I store my home account on a different partition I need this tool to be able to log in. Everything worked fine on Mojave with v1.0, but with Catalina it goes through the entire install package through the selection of the encrypted drive. After the selection of the drive it never asks for the password and then it goes to the Summary screen with "The Installation Failed" - "The installer encountered and error that caused the installation to fail. Contact the software manufacturer for assistance."

I installed the BootUnlock-1.1.0.pkg standard build and when that failed I rebuild the package from the files provided both had the same result. Not sure this adds anything to the discussion, but wanted to document.

When I check the log file after the failure... I see...

=== Mon Oct 14 21:24:03 EDT 2019 === === Mon Oct 14 21:24:44 EDT 2019 === === Mon Oct 14 21:25:32 EDT 2019 === ===[ update.sh: Mon Oct 14 21:26:14 EDT 2019 ]=== 4:292: execution error: Can’t make file "MacHD:Applications:Utilities:Disk Utility.app:Contents:Resources:AppIcon.icns" into type number or string. (-1700)

[galaxy4public]

@ClayStudio, I am still working on a workaround (Catalina will be properly supported in version 1.2.0). However, to unblock you there is a couple of things to know:

1. The unblocking script itself works fine with Catalina (or any other macOS past High Sierra)
2. The failing part is to get user input and to create the items in the System keychain.

So, after you installed version 1.1.0 (even though the installation says it failed), all you need to do is to run (replace $NAME with the name of your volume, e.g. Home:

sudo /usr/bin/security add-generic-password -a "$UUID" -s "$UUID" -l "$NAME" -D 'Encrypted Volume Password' -T '' -T /Library/PrivilegedHelperTools/au.com.openwall.BootUnlock/BootUnlock -w "$PASSPHRASE" -U /Library/Keychains/System.keychain

where $PASSPHRASE is the password for the volume and $UUID can be found with (replace $NAME with the name of your volume, e.g. Home):

diskutil apfs list -plist | grep -A1 -E '<key>(Name|APFSVolumeUUID)' | fgrep -B4 "$NAME"

This will create the corresponding entry in the System keychain and BootUnlock will be able to unlock the volume as before.

Hope this helps.

[ClayStudio]

@galaxy4public, Thank you. Your guidance was right on. Everything works as designed.

Thank you for supporting this tool. Keeping data files separated from the OS has been my strategy since the late 90's and with encryption now being used, this tool is the only solution for mounting apfs volumes on boot.

[galaxy4public]

OK, I went into a rabbit hole and figured that Apple broke AppleScript beyond possible repair (if you search the Net you will find complaints that AppleScript was replaced by JXA and the latter was also abandoned right away).

In any case, I am currently working on rewriting the glue part (user UI) using JXA and the corresponding bridge to Objective-C (still, no compilation would be needed). However, due to scarce documentation the work is progressing very slowly. I expect another week before I release a new version that would work on Catalina right away. :(

[folotp]

Any update on progress to support Catalina?

[galaxy4public]

@folotp, sorry I was on a long annual leave break. Should look into this over the weekend and hopefully release a fixed version.