feat(installer): confirm-twice for LUKS passphrase + admin password

A typo in the LUKS passphrase is unrecoverable — the disk is unmountable without it and we don't escrow the key. Re-prompting until the two reads match catches keyboard-layout surprises (the US/UK quote-key position is the most common one) before they brick the install. Admin password gets the same treatment for consistency. Less catastrophic (resettable from a recovery shell) but a mismatch still locks the user out of their fresh install on first boot. Loop bails on cancel/ESC and re-prompts on validate_pw failure.
2026-05-06 10:31:21 +01:00 · 2026-05-06 10:31:21 +01:00 · 767fe71a3a
commit 767fe71a3a
parent 4c1895dcc1
1 changed files with 28 additions and 4 deletions
--- a/overlay/usr/local/bin/veilor-installer
+++ b/overlay/usr/local/bin/veilor-installer
@ -288,12 +288,36 @@ collect_answers() {
    }

    # ── LUKS passphrase ──
-    luks_pw=$(prompt_password "[2/3] Encryption · LUKS2 passphrase (min 8)") || return 1
-    validate_pw "$luks_pw" "passphrase" || return 1
+    # v0.6: prompt twice + string-compare. A typo in the LUKS passphrase
+    # is unrecoverable — the disk is unmountable without it and we
+    # don't escrow the key. Re-prompting until the two reads match
+    # catches keyboard-layout surprises (US vs UK quote position is
+    # the most common one) before they brick the install.
+    local luks_pw_confirm
+    while true; do
+        luks_pw=$(prompt_password "[2/3] Encryption · LUKS2 passphrase (min 8)") || return 1
+        validate_pw "$luks_pw" "passphrase" || continue
+        luks_pw_confirm=$(prompt_password "[2/3] Confirm LUKS2 passphrase") || return 1
+        if [[ $luks_pw == "$luks_pw_confirm" ]]; then
+            break
+        fi
+        prompt_error "Passphrases do not match — try again."
+    done

    # ── Admin password ──
-    admin_pw=$(prompt_password "[3/3] Admin user · password for 'admin'") || return 1
-    validate_pw "$admin_pw" "password" || return 1
+    # Same confirm-twice pattern. Less catastrophic than LUKS (admin
+    # password can be reset from a recovery shell) but a mismatch here
+    # still locks the user out of their fresh install on first boot.
+    local admin_pw_confirm
+    while true; do
+        admin_pw=$(prompt_password "[3/3] Admin user · password for 'admin'") || return 1
+        validate_pw "$admin_pw" "password" || continue
+        admin_pw_confirm=$(prompt_password "[3/3] Confirm admin password") || return 1
+        if [[ $admin_pw == "$admin_pw_confirm" ]]; then
+            break
+        fi
+        prompt_error "Passwords do not match — try again."
+    done

    # ── Locale ──
    # Hardcoded en_US.UTF-8 for branded consistency. The picker that