Install reported successful despite failed daemon startup

[svenssonaxel]

If the daemon startup fails, the installation is still reported as successful. While this might be good for statistics, it might be better to check that the daemon has started and report failure otherwise, so that the issues can be addressed.

In this particular case, the failure looks similar to NixOS/nix#6291 after running nix-installer on an AWS mac2-m2pro.metal.

>TERM=xterm ssh ec2-REDACTED.us-east-2.compute.amazonaws.com
uLast login: Thu Nov 23 18:26:17 2023 from 135.181.117.99

    ┌───┬──┐   __|  __|_  )
    │ ╷╭╯╷ │   _|  (     /
    │  └╮  │  ___|\___|___|
    │ ╰─┼╯ │  Amazon EC2
    └───┴──┘  macOS Ventura 13.6.1

ec2-user@ip-REDACTED ~ % uname -a
Darwin ip-REDACTED.us-east-2.compute.internal 22.6.0 Darwin Kernel Version 22.6.0: Wed Oct  4 21:26:55 PDT 2023; root:xnu-8796.141.3.701.17~4/RELEASE_ARM64_T6020 arm64
ec2-user@ip-REDACTED ~ % curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
info: downloading installer https://install.determinate.systems/nix/tag/v0.14.0/nix-installer-aarch64-darwin
`nix-installer` needs to run as `root`, attempting to escalate now via `sudo`...
Nix install plan (v0.14.0)
Planner: macos (with default settings)

Planned actions:
* Create an APFS volume `Nix Store` for Nix on `disk5` and add it to `/etc/fstab` mounting on `/nix`
* Fetch `https://releases.nixos.org/nix/nix-2.18.1/nix-2.18.1-aarch64-darwin.tar.xz` to `/nix/temp-install-dir`
* Create a directory tree in `/nix`
* Move the downloaded Nix into `/nix`
* Create build users (UID 300-332) and group (GID 30000)
* Configure Time Machine exclusions
* Setup the default Nix profile
* Place the Nix configuration in `/etc/nix/nix.conf`
* Configure the shell profiles
* Create a `launchctl` plist to put Nix into your PATH
* Configure Nix daemon related settings with launchctl
* Remove directory `/nix/temp-install-dir`


Proceed? ([Y]es/[n]o/[e]xplain):
 INFO Step: Create an APFS volume `Nix Store` for Nix on `disk5` and add it to `/etc/fstab` mounting on `/nix`
 INFO Step: Provision Nix
 INFO Step: Create build users (UID 300-332) and group (GID 30000)
 INFO Step: Configure Time Machine exclusions
 INFO Step: Configure Nix
 INFO Step: Create a `launchctl` plist to put Nix into your PATH
 INFO Step: Configure Nix daemon related settings with launchctl
 INFO Step: Remove directory `/nix/temp-install-dir`
Nix was installed successfully!
To get started using Nix, open a new shell or run `. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh`

ec2-user@ip-REDACTED ~ % . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
ec2-user@ip-REDACTED ~ % nix repl
error: could not set permissions on '/nix/var/nix/profiles/per-user' to 755: Operation not permitted
ec2-user@ip-REDACTED ~ % nix doctor
error: could not set permissions on '/nix/var/nix/profiles/per-user' to 755: Operation not permitted
ec2-user@ip-REDACTED ~ % launchctl list | grep nix-daemon
-       -6      org.nixos.nix-daemon
ec2-user@ip-REDACTED ~ % sudo launchctl start org.nixos.nix-daemon

ec2-user@ip-REDACTED ~ % launchctl list | grep nix-daemon
-       -6      org.nixos.nix-daemon
ec2-user@ip-REDACTED ~ % tail /var/log/system.log
Nov 23 18:18:57 ip-REDACTED syslogd[55]: ASL Sender Statistics
Nov 23 18:19:27 ip-REDACTED sshd: ec2-user [priv][1504]: DEAD_PROCESS: 1506 ttys000
Nov 23 18:19:58 ip-REDACTED sshd: ec2-user [priv][1623]: USER_PROCESS: 1625 ttys000
Nov 23 18:20:49 ip-REDACTED sshd: ec2-user [priv][1623]: DEAD_PROCESS: 1625 ttys000
Nov 23 18:20:53 ip-REDACTED sshd: ec2-user [priv][1739]: USER_PROCESS: 1741 ttys000
Nov 23 18:26:12 ip-REDACTED sshd: ec2-user [priv][1739]: DEAD_PROCESS: 1741 ttys000
Nov 23 18:26:17 ip-REDACTED sshd: ec2-user [priv][2408]: USER_PROCESS: 2410 ttys000
Nov 23 18:28:33 ip-REDACTED sshd: ec2-user [priv][2408]: DEAD_PROCESS: 2410 ttys000
Nov 23 18:28:43 ip-REDACTED sshd: ec2-user [priv][2440]: USER_PROCESS: 2442 ttys000
Nov 23 18:30:40 ip-REDACTED syslogd[55]: ASL Sender Statistics
ec2-user@ip-REDACTED ~ % tail /var/log/nix-daemon.log
  Reason: tried: '/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (file system sandbox blocked open()), '/System/Volumes/Preboot/Cryptexes/OS/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (no such file), '/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (file system sandbox blocked open()), '/usr/local/lib/libsodium.23.dylib' (no such file), '/usr/lib/libsodium.23.dylib' (no such file, not in dyld cache)
dyld[3017]: Library not loaded: /nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib
  Referenced from: <no uuid> /nix/store/0pbq6wzr2f1jgpn5212knyxpwmkjgjah-nix-2.18.1/bin/nix
  Reason: tried: '/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (file system sandbox blocked open()), '/System/Volumes/Preboot/Cryptexes/OS/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (no such file), '/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (file system sandbox blocked open()), '/usr/local/lib/libsodium.23.dylib' (no such file), '/usr/lib/libsodium.23.dylib' (no such file, not in dyld cache)
dyld[3020]: Library not loaded: /nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib
  Referenced from: <no uuid> /nix/store/0pbq6wzr2f1jgpn5212knyxpwmkjgjah-nix-2.18.1/bin/nix
  Reason: tried: '/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (file system sandbox blocked open()), '/System/Volumes/Preboot/Cryptexes/OS/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (no such file), '/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (file system sandbox blocked open()), '/usr/local/lib/libsodium.23.dylib' (no such file), '/usr/lib/libsodium.23.dylib' (no such file, not in dyld cache)
dyld[3023]: Library not loaded: /nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib
  Referenced from: <no uuid> /nix/store/0pbq6wzr2f1jgpn5212knyxpwmkjgjah-nix-2.18.1/bin/nix
  Reason: tried: '/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (file system sandbox blocked open()), '/System/Volumes/Preboot/Cryptexes/OS/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (no such file), '/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (file system sandbox blocked open()), '/usr/local/lib/libsodium.23.dylib' (no such file), '/usr/lib/libsodium.23.dylib' (no such file, not in dyld cache)
ec2-user@ip-REDACTED ~ % ls -la /nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib /nix/store/0pbq6wzr2f1jgpn5212knyxpwmkjgjah-nix-2.18.1/bin/nix '/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' '/System/Volumes/Preboot/Cryptexes/OS/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' '/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' '/usr/local/lib/libsodium.23.dylib' '/usr/lib/libsodium.23.dylib'
ls: /System/Volumes/Preboot/Cryptexes/OS/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib: No such file or directory
ls: /usr/lib/libsodium.23.dylib: No such file or directory
ls: /usr/local/lib/libsodium.23.dylib: No such file or directory
-r-xr-xr-x  1 root  wheel  3109696 Jan  1  1970 /nix/store/0pbq6wzr2f1jgpn5212knyxpwmkjgjah-nix-2.18.1/bin/nix
-r-xr-xr-x  1 root  wheel   416960 Jan  1  1970 /nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib
-r-xr-xr-x  1 root  wheel   416960 Jan  1  1970 /nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib
-r-xr-xr-x  1 root  wheel   416960 Jan  1  1970 /nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib

[grahamc]

This is super interesting. We test regularly on a fleet of macs, but they're in a rack and don't use external storage. Thanks for such a good log / record of what you're seeing, we'll hunt this down.

[grahamc]

Notes from a mac on AWS, running macOS Sonoma 14.1 on an mac2-m2.metal, which I'd expect to exhibit similar symptoms.

ec2-user@ip-172-31-40-68 ~ % mount
/dev/disk5s2s1 on / (apfs, sealed, local, read-only, journaled)
devfs on /dev (devfs, local, nobrowse)
/dev/disk5s5 on /System/Volumes/VM (apfs, local, noexec, journaled, nobrowse)
/dev/disk5s3 on /System/Volumes/Preboot (apfs, local, journaled, nobrowse)
/dev/disk1s2 on /System/Volumes/xarts (apfs, local, noexec, journaled, nobrowse)
/dev/disk1s1 on /System/Volumes/iSCPreboot (apfs, local, journaled, nobrowse)
/dev/disk1s3 on /System/Volumes/Hardware (apfs, local, journaled, nobrowse)
/dev/disk5s1 on /System/Volumes/Data (apfs, local, journaled, nobrowse)
map auto_home on /System/Volumes/Data/home (autofs, automounted, nobrowse)
/dev/disk3s4 on /private/tmp/tmp-mount-qYjtWH (apfs, local, journaled, nobrowse)

ec2-user@ip-172-31-40-68 ~ % diskutil list
/dev/disk0 (internal, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *251.0 GB   disk0
   1:             Apple_APFS_ISC Container disk1         524.3 MB   disk0s1
   2:                 Apple_APFS Container disk3         245.1 GB   disk0s2
   3:        Apple_APFS_Recovery Container disk2         5.4 GB     disk0s3

/dev/disk3 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +245.1 GB   disk3
                                 Physical Store disk0s2
   1:                APFS Volume InternalDisk            9.9 GB     disk3s1
   2:                APFS Volume Preboot                 5.1 GB     disk3s2
   3:                APFS Volume Recovery                870.3 MB   disk3s3
   4:                APFS Volume Data                    560.0 MB   disk3s5
   5:                APFS Volume VM                      20.5 KB    disk3s6

/dev/disk4 (external, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *107.4 GB   disk4
   1:                        EFI EFI                     209.7 MB   disk4s1
   2:                 Apple_APFS Container disk5         107.2 GB   disk4s2

/dev/disk5 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +107.2 GB   disk5
                                 Physical Store disk4s2
   1:                APFS Volume Macintosh HD - Data     4.8 GB     disk5s1
   2:                APFS Volume Macintosh HD            9.9 GB     disk5s2
   3:              APFS Snapshot com.apple.os.update-... 9.9 GB     disk5s2s1
   4:                APFS Volume Preboot                 5.6 GB     disk5s3
   5:                APFS Volume Recovery                820.5 MB   disk5s4
   6:                APFS Volume VM                      20.5 KB    disk5s5

[svenssonaxel]

Not that I've used other macs on AWS withtout this problem, so if you have trouble reproducing, make sure to use the exact same instance type and OS version.

[grahamc]

I could replicate this with the host above. Here's the relevant part of the plan:

{
  "version": "0.15.1",
  "actions": [
    {
      "action": {
        "action": "create_apfs_volume",
        "disk": "disk5",
        "name": "Nix Store",
        "case_sensitive": false,
        "encrypt": false,
        "create_or_append_synthetic_conf": {
          "action": {
            "path": "/etc/synthetic.conf",
            "user": null,
            "group": null,
            "mode": null,
            "buf": "nix\n",
            "position": "End"
          },
          "state": "Uncompleted"
        },
        "create_synthetic_objects": {
          "action": null,
          "state": "Uncompleted"
        },
        "unmount_volume": {
          "action": {
            "disk": "disk5",
            "name": "Nix Store"
          },
          "state": "Uncompleted"
        },
        "create_volume": {
          "action": {
            "disk": "disk5",
            "name": "Nix Store",
            "case_sensitive": false
          },
          "state": "Uncompleted"
        },
        "create_fstab_entry": {
          "action": {
            "apfs_volume_label": "Nix Store",
            "existing_entry": "None"
          },
          "state": "Uncompleted"
        },
        "encrypt_volume": null,
        "setup_volume_daemon": {
          "action": {
            "path": "/Library/LaunchDaemons/org.nixos.darwin-store.plist",
            "apfs_volume_label": "Nix Store",
            "mount_service_label": "org.nixos.darwin-store",
            "mount_point": "/nix",
            "encrypt": false,
            "needs_bootout": false
          },
          "state": "Uncompleted"
        },
...

and I got very similar output:

Proceed? ([Y]es/[n]o/[e]xplain): y
 INFO Step: Create an APFS volume `Nix Store` for Nix on `disk5` and add it to `/etc/fstab` mounting on `/nix`
 INFO Step: Provision Nix
 INFO Step: Create build users (UID 300-332) and group (GID 30000)
 INFO Step: Configure Time Machine exclusions
 INFO Step: Configure Nix
 INFO Step: Configuring zsh to support using Nix in non-interactive shells
 INFO Step: Create a `launchctl` plist to put Nix into your PATH
 INFO Step: Configure Nix daemon related settings with launchctl
 INFO Step: Remove directory `/nix/temp-install-dir`
Nix was installed successfully!
To get started using Nix, open a new shell or run `. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh`

ec2-user@ip-172-31-40-68 ~ % . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
ec2-user@ip-172-31-40-68 ~ % nix repl
error: could not set permissions on '/nix/var/nix/profiles/per-user' to 755: Operation not permitted
ec2-user@ip-172-31-40-68 ~ % tail /var/log/system.log
Nov 25 00:04:31 ip-172-31-40-68 syslogd[98]: ASL Sender Statistics
ec2-user@ip-172-31-40-68 ~ % launchctl list | grep nix-daemon
-	-6	org.nixos.nix-daemon
ec2-user@ip-172-31-40-68 ~ % sudo launchctl start org.nixos.nix-daemon
ec2-user@ip-172-31-40-68 ~ % launchctl list | grep nix-daemon         
-	-6	org.nixos.nix-daemon
ec2-user@ip-172-31-40-68 ~ % tail /var/log/system.log                 
Nov 25 00:04:31 ip-172-31-40-68 syslogd[98]: ASL Sender Statistics
ec2-user@ip-172-31-40-68 ~ % tail /var/log/nix-daemon.log
  Reason: tried: '/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (file system sandbox blocked open()), '/System/Volumes/Preboot/Cryptexes/OS/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (no such file), '/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (file system sandbox blocked open()), '/usr/local/lib/libsodium.23.dylib' (no such file), '/usr/lib/libsodium.23.dylib' (no such file, not in dyld cache)
dyld[1417]: Library not loaded: /nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib
  Referenced from: <no uuid> /nix/store/0pbq6wzr2f1jgpn5212knyxpwmkjgjah-nix-2.18.1/bin/nix
  Reason: tried: '/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (file system sandbox blocked open()), '/System/Volumes/Preboot/Cryptexes/OS/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (no such file), '/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (file system sandbox blocked open()), '/usr/local/lib/libsodium.23.dylib' (no such file), '/usr/lib/libsodium.23.dylib' (no such file, not in dyld cache)
dyld[1420]: Library not loaded: /nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib
  Referenced from: <no uuid> /nix/store/0pbq6wzr2f1jgpn5212knyxpwmkjgjah-nix-2.18.1/bin/nix
  Reason: tried: '/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (file system sandbox blocked open()), '/System/Volumes/Preboot/Cryptexes/OS/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (no such file), '/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (file system sandbox blocked open()), '/usr/local/lib/libsodium.23.dylib' (no such file), '/usr/lib/libsodium.23.dylib' (no such file, not in dyld cache)
dyld[1430]: Library not loaded: /nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib
  Referenced from: <no uuid> /nix/store/0pbq6wzr2f1jgpn5212knyxpwmkjgjah-nix-2.18.1/bin/nix
  Reason: tried: '/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (file system sandbox blocked open()), '/System/Volumes/Preboot/Cryptexes/OS/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (no such file), '/nix/store/gky12ai26saxyvki60g0zld0sank42c9-libsodium-1.0.18/lib/libsodium.23.dylib' (file system sandbox blocked open()), '/usr/local/lib/libsodium.23.dylib' (no such file), '/usr/lib/libsodium.23.dylib' (no such file, not in dyld cache)

[grahamc]

I have solved this, but it'll take time to get it integrated into the installation flow. I've created a signed program that shims access to the Nix daemon. This gets us half way there. It has a caveat, though: The machine must grant Full Disk Access to that program.

This can be done in two ways:

1. by hand, interactively, in Privacy and Security -> Full Disk Access.
2. using a TCC profile, deployed via MDM. I can upload an example of this for when the rest of the pieces are available.

This is basically the only way, by design by Apple. Their security is good! :).

Next steps:

1. Finish up this shim and get it distributed through the installer.
2. UX work to make it clear that enabling FDA is the way to get it all to work.
3. Documentation on how to enable FDA via TCC in MDM. (whew.)

Big thanks to @angerman whose comments on that linked issue were right on point, and got me a lot of the way through.

[svenssonaxel]

@grahamc Triggered by a comment in the linked issue I tried to run the daemon manually, not as a service, in a separate terminal. This workaround appeared to be successful. Does this change your assessment in any way, as to whether the shim is necessary?

[angerman]

If you run nixin Terminal.app, and Terminal.app has FDA, so will nix (inherit).

What you can do, though that's really a bit, uh, hacky:

1. Start Terminal.app in a graphical session (e.g. auto login, auto-launch)
2. Have that start tmux in Terminal.app
3. Connect via SSH, and issue commands to the terminal by attaching to the tmux session.

😒 I don't want to go there again.

[svenssonaxel]

@angerman This was done with no graphical session. I just did ssh, sudo, nix-daemon. If that gives FDA then I don't understand why a special shim is necessary, and if that does not give FDA then I don't understand what prevents nix-daemon started as a service from working and why a shim is necessary. I'm probably wrong, just wanted to point out the manual workaround if that could give @grahamc any ideas.

[grahamc]

Unfortunately the shim is still likely to be necessary in almost all cases. The behavior of the sandbox is a bit mysterious, and different behaviors can make it be a non-issue... sometimes. The shim isn't very complicated, though, which is good news.

[angerman]

@svenssonaxel you may be able to verify three things:
1.) check if SIP is enabled (csrutil status, I think)
2.) if /nix is indeed on an external disk. (mount and diskutil should be able to verify)
3.) log into the graphical session and check which applications have FullDiskAccess in your Settings.app

Iirc if ssh-keygen-wrapper (or whatever that thing is called) has FDA, so will your ssh session as well.

By default on a blank macOS install nothing has FDA permissions.

[svenssonaxel]

@svenssonaxel you may be able to verify three things:

@angerman Sorry, I don't have access to such a machine currently.

[kbob]

I'm trying to install nix for the first time, so please excuse my ignorance.

I hit the same error tonight on an Intel iMac Pro booted from an external drive, MacOS 14.6.1 Sonoma. Same errors in /var/log/nix-daemon.log. I used the command-line installer. The install script reported success, but the self-test subcommand (and "nix run nixpkgs#hello") reported

  error: could not set permissions on '/nix/var/nix/profiles/per-user' to 755: Operation not permitted

I eventually traced it down to the same errors in /var/log/nix-daemon:

dyld[29325]: Library not loaded: /nix/store/hgs3ai43fdac79v6dvc2k8zz38jhqfzj-libsodium-1.0.18/lib/libsodium.23.dylib
  Referenced from: <no uuid> /nix/store/51zkf3552d20gm6jswz3xs1yipdgksbg-nix-2.23.3/bin/nix
  Reason: tried: '/nix/store/hgs3ai43fdac79v6dvc2k8zz38jhqfzj-libsodium-1.0.18/lib/libsodium.23.dylib' (file system sandbox blocked open()), '/System/Volumes/Preboot/Cryptexes/OS/nix/store/hgs3ai43fdac79v6dvc2k8zz38jhqfzj-libsodium-1.0.18/lib/libsodium.23.dylib' (no such file), '/nix/store/hgs3ai43fdac79v6dvc2k8zz38jhqfzj-libsodium-1.0.18/lib/libsodium.23.dylib' (file system sandbox blocked open()), '/usr/local/lib/libsodium.23.dylib' (no such file), '/usr/lib/libsodium.23.dylib' (no such file, not in dyld cache)

Is this problem fixed in the graphical installer, and is that why it's a signed app?

Thanks.

[grahamc]

Hey folks, this problem (which is specific to macOS on EC2) has been solved. See: https://determinate.systems/posts/unattended-nix-install-macos-aws-ec2/