Add uninstallation hint for MacOS regarding key chain entries

[JoshuaBehrens]

Motivation

To upgrade my devenv 0.6 setup I got the suggestion to completely wipe my nix installation before. Therefore I went for this and the experimental installer and apparently this is an issue during installation. This should be mentioned to be removed on a cleanup as well.

Context

see above

Priorities and Process

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

[abathur]

Can you clarify or link to the installation issue this causes?

The official installer keys each credential based on the volume uuid, and then it looks the credential up based on that uuid. I don't think it should be clashing (unless something else is causing it).

[abathur]

The instruction before this one uses diskXsY because disk3 is not a given.

For example, my nix store volume is disk1s6.

I'll also double-register that I don't think this is describing a credential that our installer adds. I suspect this might be from the detsys installer (or maybe our experimental version of that if someone's been handing out links to it?)

[JoshuaBehrens]

I had a devenv 0.6 installation on my device. When I wanted to upgrade it I followed the guide https://devenv.sh/getting-started/ and noticed, that I did not run the suggested experimental installer when installing devenv 1.0. When I was not sure about the state of my installation I decided to wipe it and followed this guide. When I run the experimental installer I got the message, that I still have a password in my key chain that should be removed.

Good hint though, that the disk number varies. I could refer to the disk name from the previous step.

[abathur]

Pulling this out of the review comment so that this can stay visible even if you push something to fix my narrow query about disk/volume specials:

I had a devenv 0.6 installation on my device. When I wanted to upgrade it I followed the guide https://devenv.sh/getting-started/ and noticed, that I did not run the suggested experimental installer when installing devenv 1.0. When I was not sure about the state of my installation I decided to wipe it and followed this guide. When I run the experimental installer I got the message, that I still have a password in my key chain that should be removed.

To make sure I'm understanding a few bits right:

• to the best of your knowledge you ran into this trouble the first time you ran the experimental installer (but you previously used the default/official installer)?

• after looking at the source, it sounds like the message in question is the one quoted below? (source):

  "The keychain has an existing password for a non-existing \"{0}\" volume on disk `{1}`, consider removing the password with `sudo security delete-generic-password  -a \"{0}\" -s \"Nix Store\" -l \"{1} encryption password\" -D \"Encrypted volume password\"`. Note that it's possible to have several passwords stored, so you may need to run this command several times until receiving the message `The specified item could not be found in the keychain.`"
  

• following the instructions in that message got you sorted? Did you have to run it more than once? (Since it is templating the values it's suggesting, it is probably at least encouraging you to remove the credentials that it says are in its way.)

• assuming the above instruction got you sorted, you're just suggesting we prevent this scare by describing how to clean up the credentials?

If those are all right, I think the scope of the ~problem + fix(es) may look like:

• the detsys (and thus the experimental) installers don't create the credentials in a way that intrinsically namespaces them (making them sensitive to the existing volume credentials)
• since the official installer does namespace the credentials by the volume UUID, it isn't sensitive to this specific kind of clash
• since the official installer isn't sensitive to this, the official instructions take the more-cautious/conservative approach of not telling people to remove potentially-outdated credentials
  • it's understandable to be cautious about telling people to do something that could have consequences because people do semi-regularly open reports that indicate they misunderstood or mis-followed them
  • since we already tell people to delete the volume in the step before this, there shouldn't be much additional risk in telling them to delete that specific associated credential
  • but the error message makes it clear that people sometimes had more than one of these credentials--we should probably tell them to check for that and be a little more careful about how we tell them to remove them

If we're on the same page about that, @fricklerhandwerk may have thoughts about how to communicate it (IIRC he recently did a pass over the uninstall instructions for understandability) without leaving much room for mistakes/misunderstandings.

Meta: Egh :)

@domenkozar I didn't realize the experimental installer fork was already being used in a way that makes it partially load-bearing for users of a common Nix-adjacent toolchain. Curious what you think about this.

It's probably not in scope here, but this also makes me wonder whether the manual's uninstall instructions should go ahead and acknowledge and try to defuse the possibility that people try to follow its instructions when they should be looking for /nix/nix-installer or the receipt.json it creates as a sign they should run /nix/nix-installer uninstall instead of following the manual procedure?