From 767fe71a3ab6866ee5d2690df5cb7e9f7d4ab2ff Mon Sep 17 00:00:00 2001
From: veilor-org <admin@veilor.org>
Date: Wed, 6 May 2026 10:31:21 +0100
Subject: [PATCH] feat(installer): confirm-twice for LUKS passphrase + admin
 password
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A typo in the LUKS passphrase is unrecoverable — the disk is
unmountable without it and we don't escrow the key. Re-prompting
until the two reads match catches keyboard-layout surprises (the
US/UK quote-key position is the most common one) before they brick
the install.

Admin password gets the same treatment for consistency. Less
catastrophic (resettable from a recovery shell) but a mismatch
still locks the user out of their fresh install on first boot.

Loop bails on cancel/ESC and re-prompts on validate_pw failure.
---
 overlay/usr/local/bin/veilor-installer | 32 ++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/overlay/usr/local/bin/veilor-installer b/overlay/usr/local/bin/veilor-installer
index 47dd2e6..fb1f255 100644
--- a/overlay/usr/local/bin/veilor-installer
+++ b/overlay/usr/local/bin/veilor-installer
@@ -288,12 +288,36 @@ collect_answers() {
     }
 
     # ── LUKS passphrase ──
-    luks_pw=$(prompt_password "[2/3] Encryption · LUKS2 passphrase (min 8)") || return 1
-    validate_pw "$luks_pw" "passphrase" || return 1
+    # v0.6: prompt twice + string-compare. A typo in the LUKS passphrase
+    # is unrecoverable — the disk is unmountable without it and we
+    # don't escrow the key. Re-prompting until the two reads match
+    # catches keyboard-layout surprises (US vs UK quote position is
+    # the most common one) before they brick the install.
+    local luks_pw_confirm
+    while true; do
+        luks_pw=$(prompt_password "[2/3] Encryption · LUKS2 passphrase (min 8)") || return 1
+        validate_pw "$luks_pw" "passphrase" || continue
+        luks_pw_confirm=$(prompt_password "[2/3] Confirm LUKS2 passphrase") || return 1
+        if [[ $luks_pw == "$luks_pw_confirm" ]]; then
+            break
+        fi
+        prompt_error "Passphrases do not match — try again."
+    done
 
     # ── Admin password ──
-    admin_pw=$(prompt_password "[3/3] Admin user · password for 'admin'") || return 1
-    validate_pw "$admin_pw" "password" || return 1
+    # Same confirm-twice pattern. Less catastrophic than LUKS (admin
+    # password can be reset from a recovery shell) but a mismatch here
+    # still locks the user out of their fresh install on first boot.
+    local admin_pw_confirm
+    while true; do
+        admin_pw=$(prompt_password "[3/3] Admin user · password for 'admin'") || return 1
+        validate_pw "$admin_pw" "password" || continue
+        admin_pw_confirm=$(prompt_password "[3/3] Confirm admin password") || return 1
+        if [[ $admin_pw == "$admin_pw_confirm" ]]; then
+            break
+        fi
+        prompt_error "Passwords do not match — try again."
+    done
 
     # ── Locale ──
     # Hardcoded en_US.UTF-8 for branded consistency. The picker that