From 2fe00f42dc459d32b6a34fee906a7d04522ce6bd Mon Sep 17 00:00:00 2001
From: Mike McQuaid <mike@mikemcquaid.com>
Date: Fri, 29 Sep 2023 09:18:00 +0100
Subject: [PATCH] bin/strap.sh: use Sonoma's sudo_local instead of sudo.

This now survives system updates.

Reference: https://sixcolors.com/post/2023/08/in-macos-sonoma-touch-id-for-sudo-can-survive-updates/
---
 bin/strap.sh | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/bin/strap.sh b/bin/strap.sh
index 362df18ff..750e2c266 100755
--- a/bin/strap.sh
+++ b/bin/strap.sh
@@ -75,7 +75,7 @@ sudo_init() {
   fi
 
   # If TouchID for sudo is setup: use that instead.
-  if grep -q pam_tid /etc/pam.d/sudo; then
+  if grep -q pam_tid /etc/pam.d/sudo /etc/pam.d/sudo_local 2>/dev/null; then
     return
   fi
 
@@ -186,8 +186,17 @@ caffeinate -s -w $$ &
 # shellcheck disable=SC2010
 if ls /usr/lib/pam | grep $Q "pam_tid.so"; then
   logn "Configuring sudo authentication using TouchID:"
-  PAM_FILE="/etc/pam.d/sudo"
-  FIRST_LINE="# sudo: auth account password session"
+  if [[ -f /etc/pam.d/sudo_local || -f /etc/pam.d/sudo_local.template ]]; then
+    # New in macOS Sonoma, survives updates.
+    PAM_FILE="/etc/pam.d/sudo_local"
+    FIRST_LINE="# sudo_local: local config file which survives system update and is included for sudo"
+    if [[ ! -f "/etc/pam.d/sudo_local" ]]; then
+      echo "$FIRST_LINE" | sudo_askpass tee "$PAM_FILE" >/dev/null
+    fi
+  else
+    PAM_FILE="/etc/pam.d/sudo"
+    FIRST_LINE="# sudo: auth account password session"
+  fi
   if grep $Q pam_tid.so "$PAM_FILE"; then
     logk
   elif ! head -n1 "$PAM_FILE" | grep $Q "$FIRST_LINE"; then
@@ -425,7 +434,7 @@ fi
 # Install from local Brewfile
 if [ -f "$HOME/.Brewfile" ]; then
   log "Installing from user Brewfile on GitHub:"
-  brew bundle check --global || brew bundle --global
+  brew bundle check --global &>/dev/null || brew bundle --global
   logk
 fi