search

openwall-com-au / BootUnlock

A helper script that unlocks macOS'es encrypted APFS volumes before login
GNU General Public License v3.0
51 stars 7 forks source link

Installation failed, Mojave #8

Closed Wilfried84 closed 5 years ago

Wilfried84 commented 5 years ago

I tried to install is with the BootUnlock 1.1.0 installer downloaded here, and it failed. I don't know enough to fix. What's the problem, and can you fix it? Thank you. Error log:

Oct 23 00:19:09 Weibens-iMac Installer[3725]: Package Authoring Error: has an unsupported MIME type: image/data Oct 23 00:19:09 Weibens-iMac Installer[3725]: Package Authoring Error: has an unsupported MIME type: X-NSObject/NSNumber Oct 23 00:19:09 Weibens-iMac Installer[3725]: Package Authoring Error: has an unsupported MIME type: X-NSObject/NSNumber Oct 23 00:19:09 Weibens-iMac Installer[3725]: Package Authoring Error: has an unsupported MIME type: X-NSObject/NSNumber Oct 23 00:19:26 Weibens-iMac installd[3686]: PackageKit: ----- Begin install ----- Oct 23 00:19:27 Weibens-iMac installd[3686]: PackageKit: Install Failed: Error Domain=PKInstallErrorDomain Code=112 "An error occurred while running scripts from the package “BootUnlock-1.1.0.pkg”." UserInfo={NSFilePath=./postinstall, NSURL=file:///Users/weiben/Downloads/BootUnlock-1.1.0.pkg#BootUnlock-1.1.0-dist.pkg, PKInstallPackageIdentifier=au.com.openwall.BootUnlock, NSLocalizedDescription=An error occurred while running scripts from the package “BootUnlock-1.1.0.pkg”.} { NSFilePath = "./postinstall"; NSLocalizedDescription = "An error occurred while running scripts from the package \U201cBootUnlock-1.1.0.pkg\U201d."; NSURL = "file:///Users/weiben/Downloads/BootUnlock-1.1.0.pkg#BootUnlock-1.1.0-dist.pkg"; PKInstallPackageIdentifier = "au.com.openwall.BootUnlock"; } Oct 23 00:19:27 Weibens-iMac Installer[3725]: Install failed: The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. Oct 23 00:19:27 Weibens-iMac Installer[3725]: Displaying 'Install Failed' UI. Oct 23 00:19:28 Weibens-iMac Installer[3725]: 'Install Failed' UI displayed message:'The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.'.

galaxy4public commented 5 years ago

I am acknowledging that the issue was noticed. I will do my best to provide some assistance, but it may take a bit of time since I would need to install latest Mojave in order to try to reproduce it.

Anyway, since the package is extremely small (8KB) there are two possible points of failure:

  1. It fails before you are presented with the installation wizard
  2. It fails at the last step of the installation wizard

I suspect it is the latter and if it is so, then it is likely that Apple backported some stuff from Catalina to Mojave (most likely things around osascript we are using for user dialogs. If this is the case, then you can confirm that the BootUnlock was installed successfully by rebooting your system and checking the `/var/log/BootUnlock.log file to have a record for the reboot. If the file is present and there is a fresh entry for the latest reboot, then I already described how to configure your volume manually in #4 (nothing changed under the hood since High Sierra, but it is UI hooks which Apple is constantly adjusting for some reason).

Wilfried84 commented 5 years ago

Yes, install fails at the last step. After entering password, I get a message, "The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance." I'm trying to follow what you're saying, but I'm afraid I'm rather naive. I looked in Console, and there was no BootUnlock under /var/log, before or after reboot. What can I try next? I would really like to get this working, so thank you for any help.

galaxy4public commented 5 years ago

I've just installed macOS Mojave 10.14.6 (the latest version available from Apple Store) and did not experience any issues with BootUnlock package downloaded form GitHub (from the release section for the project). So, it is really hard for me to provide any useful advice if I cannot reproduce the issue.

According to the log messages you provided it seems that your system does not like something in the package manifest (is there a chance that the file you downloaded got somehow damaged? have you tried to re-download the package?).

As it relates to the testing of whether the package has actually installed the core part of BootUnlock the following is the transcript of the Terminal session I had on my newly installed Mojave 10.14.6:

$ sw_vers 
ProductName:    Mac OS X
ProductVersion: 10.14.6
BuildVersion:   18G103
$ ls -ld /var/log/BootUnlock.log
-rw-r--r--  1 root  wheel  5810 24 Oct 21:26 /var/log/BootUnlock.log
$ tail -3 /var/log/BootUnlock.log 
Verifying the specific cryptographic user C1A7E5BC-3361-4E01-868E-C55D0AD9C90D on APFS Volume disk1s6
Passphrase valid
Adding password for volume "Home" with UUID C1A7E5BC-3361-4E01-868E-C55D0AD9C90D to the System keychain...
$

So, if you don't have the /var/log/BootUnlock.log file on your system something didn't work and you don't have the core part installed. But I am not sure how I can assist you.

Also, you mentioned that it fails after the password prompt, but it is not clear which one our of three possible prompts it is. During the installation of the package you were supposed to see at least three password prompts:

  1. There will be a dialog saying that "Installer is trying to install new software" and it will ask for your administrator's name and password (once you provide this info the installer will copy over package files, then is supposed to show you a dialog with all your volumes and will ask you to select the volumes you want to unlock at boot - if you see that dialog it means that you are past the following line in the post installation script: https://github.com/openwall-com-au/BootUnlock/blob/master/scripts/postinstall#L63)
  2. Once you selected an item you will be prompted for the volume password
  3. If the password you provided is correct for the volume you are trying to unlock, you will get prompted by macOS again with dialog "macOS wants to make changes. Enter an administrator's name and password to allow this. macOS wants to use the 'System' keychain."

It is clear that Apple changed something since the package was expecting that the script would be run as a non-privileged user and has code to prompt user just once for the administrative privileges, yet that code path is not executed on the latest Mojave. Yet, supplying credentials at all three steps is resulting in BootUnlock being successfully installed and configured on Mojave.

galaxy4public commented 5 years ago

Oh, I was able to reproduce exactly the install error message you've got. I got the exactly same error (with Code 112) when I clicked "Deny" in the password prompt I described under item no. 3 in the previous comment -- this results in the installation to be a failure and to generate the lines you posted when you opened this issue.

galaxy4public commented 5 years ago

The third prompt is triggered by this line: https://github.com/openwall-com-au/BootUnlock/blob/master/files/update.sh#L86 - basically we are trying to save the entered volume's password to the System keychain and if this fails for any reason we cannot recover.

What you can try to do is to open a Terminal session and type the following:

/Library/PrivilegedHelperTools/au.com.openwall.BootUnlock/update.sh

This will re-execute that part that failed, but due to the way how Apple has designed their system - it may actually work since the execution environment would be a bit different (you will see it by the first dialog asking for admin's credentials being different this time -- it is produced by the script and is how it was supposed to be from the start).

Wilfried84 commented 5 years ago

Thank you for this. The Terminal command worked, and I was prompted for volume and password.

However, now there seems to be another problem. When I boot, it doesn't look like it unlocks the encrypted volume before boot. When the computer's booted, the encrypted volume isn't mounted. It then prompts me, "macOS wants to make changes. Enter administrator's name and password to allow this." After I do that, the encrypted volume mounts.

The whole point of all this is I would like to put the home directory on an external drive, and then encrypt the drive. With a test user, I can move the directory and boot the machine just fine, but if the disk is encrypted, I get an error, and the machine won't boot, presumably because the drive is still locked.

Do you know what's going on here? Sorry to have yet more troubles, and thank you again.

galaxy4public commented 5 years ago

It is really hard to assist without any feedback from your system - I provided Terminal commands re: how to verify that the core part of BootUnlock was installed, but you did not respond on that one. It seems that the core part is not there.

Could you try to install the package again and then validate that the BootUnlock.log file is there. I did 5 installs of the package on Mojave today (on other people's laptops) and not even once I had an issue.

Wilfried84 commented 5 years ago

Thank you for your patience. I went over your previous messages more carefully. When installing, after agreeing to the license, it skips Destination Select (I can Change Install Location on the next screen), and I get to the "Installer is trying to install new software" prompt. After I enter my admin user password, I immediately get "The installation failed" message, so I never get to step #2 above.

Using the Terminal command you provided, I get a prompt, "BootUnlock Configurator requires administrative privileges to work where volumes and to update the system key chain." After that, I'm prompted for the volume I want to unlock, and the password.

There is a var/log/BootUnlock.log: Verifying the specific cryptographic user B4F6F08C-5849-45C1-9ABF-F3AADB04FDAA on APFS Volume disk5s1 Passphrase valid Adding password for volume "Home" with UUID B4F6F08C-5849-45C1-9ABF-F3AADB04FDAA to the System keychain...

I also read the installer Read Me more closely. There is a BootUnlock folder in /Library/PrivilegedHelperTools. There is an item in the System keychain for volume I'm trying to unlock. However, there is no plist that looks like it's for BootUnlock in /Library/LaunchDaemons. Maybe therein lies the problem.

galaxy4public commented 5 years ago

Thanks for spending so much time with an app that does not want to work in your environment. From the description you provided it seems that for some reason the standard macOS installer is not copying the files to the destination folder. :(

The package itself is really simple and does three things:

  1. It copies diskutil.xsl, helper.sh, and update.sh to /Library/PrivilegedHelperTools/au.com.openwall.BootUnlock/
  2. Once the files are copied the installer executes the postinstall script
  3. Finally, the postinstall executes update.sh

It seems that on your system it fails on step 2 (running the postinstall script), since this is where the .plist is created and the security tool is copied over to be able to unlock the volume.

I think if you run the following four commands it will fix the issue for you and you will be able to enjoy the automatic unlocking of your external home volume (I specifically turned on tracing, so if it fails anywhere we could understand why -- if you provide the output, of course :) ):

$ curl -o BootUnlock.postinstall 'https://raw.githubusercontent.com/openwall-com-au/BootUnlock/master/scripts/postinstall'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2028  100  2028    0     0  28166      0 --:--:-- --:--:-- --:--:-- 28166
$ sed -i -e '/update\.sh/d' BootUnlock.postinstall                        
$ chmod +x BootUnlock.postinstall
$ sudo /bin/bash -xe `pwd`/BootUnlock.postinstall
Password:
+ set -eu -o pipefail
+ NAME=BootUnlock
+ IDENTIFIER=au.com.openwall.BootUnlock
+ INSTALL_LOCATION=/Library/PrivilegedHelperTools/au.com.openwall.BootUnlock
+ LAUNCH_DAEMON_PLIST=/Library/LaunchDaemons/au.com.openwall.BootUnlock.plist
+ cp /usr/bin/security /Library/PrivilegedHelperTools/au.com.openwall.BootUnlock/BootUnlock
+ codesign -f -s - --prefix=au.com.openwall. '-r=designated => identifier au.com.openwall.BootUnlock' /Library/PrivilegedHelperTools/au.com.openwall.BootUnlock/BootUnlock
/Library/PrivilegedHelperTools/au.com.openwall.BootUnlock/BootUnlock: replacing existing signature
+ chown -h root:wheel /Library/PrivilegedHelperTools/au.com.openwall.BootUnlock/BootUnlock
+ chmod 0100 /Library/PrivilegedHelperTools/au.com.openwall.BootUnlock/BootUnlock
+ trap 'RC=$?; trap - EXIT; rm -f $TMPFILE; exit $RC' HUP INT EXIT TERM
++ mktemp -t BootUnlock.postinstall
+ TMPFILE=/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/BootUnlock.postinstall.LNyyxDMt
+ cat
+ touch /var/log/BootUnlock.log
+ chown -h root:wheel /var/log/BootUnlock.log
+ chmod -h 0644 /var/log/BootUnlock.log
+ chown -h root:wheel /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/BootUnlock.postinstall.LNyyxDMt
+ chmod -h 0644 /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/BootUnlock.postinstall.LNyyxDMt
+ mv -f /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/BootUnlock.postinstall.LNyyxDMt /Library/LaunchDaemons/au.com.openwall.BootUnlock.plist
+ /bin/launchctl load /Library/LaunchDaemons/au.com.openwall.BootUnlock.plist
/Library/LaunchDaemons/au.com.openwall.BootUnlock.plist: service already loaded
+ RC=0
+ trap - EXIT
+ rm -f /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/BootUnlock.postinstall.LNyyxDMt
+ exit 0
$

I did not remove output to help you compare what you see to what I am seeing. Also, the sed command is just to remove the last line of the postinstall script which executes update.sh. You already did it, so there is no need to refresh the password in the System keychain.

Wilfried84 commented 5 years ago

Thank you for taking the time to help me, the mostly clueless. And my clueless question, just how do I run these commands? The only way I know how to use command-line is cookbook fashion. If it's a matter of entering in Terminal, all I get is a series of errors.

Also, do you have any idea what might be making the installer fail? I have no idea what I might have done to make my system so recalcitrant.

Wilfried84 commented 5 years ago

Okay, I figured it out. The first three commands seemed to work okay. The last didn't.

Weibens-iMac:~ weiben$ curl -o BootUnlock.postinstall 'https://raw.githubusercontent.com/openwall-com-au/BootUnlock/master/scripts/postinstall' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 2028 100 2028 0 0 12615 0 --:--:-- --:--:-- --:--:-- 12675 Weibens-iMac:~ weiben$ sed -i -e '/update.sh/d' BootUnlock.postinstall Weibens-iMac:~ weiben$ chmod +x BootUnlock.postinstall Weibens-iMac:~ weiben$ sudo /bin/bash -xe pwd/BootUnlock.postinstall Password: xDMt

galaxy4public commented 5 years ago

That is really interesting, so your system does not have xcrun, but does have codesign. Something is broken, but I can't figure out what it is exactly.

A fresh install of Mojave definitely has a fully working codesign binary, I am not sure what I can do from here unless recommend to reinstall Mojave (like an upgrade over the existing system).

Wilfried84 commented 5 years ago

Hmm, that's really odd. It's a new machine, and I'm running the Mojave that came installed on it.

We'll see when I get around to trying that. I suppose that's why the installer doesn't work?

galaxy4public commented 5 years ago

I think I found an answer to your problem, @Wilfried84 :) -- a bit of Googling found this: https://stackoverflow.com/questions/52522565/git-is-not-working-after-macos-update-xcrun-error-invalid-active-developer-pa (which matches the situation you have).

So, basically, you need to open your terminal and execute xcode-select --install, after that the BootUnlock package installation is supposed to work flawlessly as it was intended. I did not realise that all machines I was working with had Xcode command-line tools installed due to other requirements. Quite a nice catch, in the end!

Wilfried84 commented 5 years ago

It works! Thanks for figuring it out, and maybe it will help the next guy.

One more question, does this work if the boot disk is FileVault encrypted, or does it have to be unlocked?

Thanks again.

galaxy4public commented 5 years ago

The whole point of this package is to automatically unlock the encrypted volumes on boot :), so yes it works with FileVault encrypted APFS volumes (which is likely the case since APFS is the current default).

galaxy4public commented 5 years ago

Closing as solved.

Wilfried84 commented 5 years ago

Maybe I said that wrong. Or maybe I'm clueless. I log into volume A, and I want volume B to be unlocked at boot. That's what happened when I tested. Volume B was encrypted, volume A was not (but was able to boot with user folder on B). Both volume A and volume B can be encrypted?

galaxy4public commented 5 years ago

Yes, this is exactly the reason this tool has been created: to be able to mount other encrypted volumes in addition to the system volume. In your example, "volume A" is the system volume and is unlocked automatically by OS when you boot up, but if you have your home volume (in your example, "volume B") which is encrypted - OS does not provide a way to unlock and mount it automatically. BootUnlock is doing exactly that.

Wilfried84 commented 5 years ago

Got it, thank you for the clarification.