Skip to content

Commit 1b766ad

Browse files
authored
Change how apt keys are downloaded (hestiacp#2299)
* Replace apt-key with wget + gpg See https://blog.cloudflare.com/dont-use-apt-key/ * Deprecate use of apt-key https://blog.cloudflare.com/dont-use-apt-key/ * Remove sudo change hestia key to keyserver * Mute output and use arch=amd64 - Use curl instead of wget - mute output - Use [arch=amd64 xxxxx] instead of [amd64 xxxxx - Create folder for gnugpg * Remove extra fi * Mute output curl * Update Ubuntu installer Except for ppa.launchpad.net * Include upgrade script * Fix issue with Mariadb - Hide error message apt-key - Update "Update" message * Update drone pipeline stages * Bring in sync with 1.5.3 release * See comment @kpapad904 * Fix mix up of release, codename and version + Add RHOST as it was missing * Move to 1.5.5
1 parent 266226f commit 1b766ad

File tree

6 files changed

+98
-25
lines changed

6 files changed

+98
-25
lines changed

.drone.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
kind: pipeline
33
type: ssh
4-
name: HestiaCP + Nginx + Apache2
4+
name: Ubuntu | Nginx + Apache2
55

66
concurrency:
77
limit: 1
@@ -45,7 +45,7 @@ trigger:
4545
---
4646
kind: pipeline
4747
type: ssh
48-
name: HestiaCP + Nginx
48+
name: Debian | Nginx
4949

5050
concurrency:
5151
limit: 1
@@ -109,4 +109,4 @@ trigger:
109109

110110
---
111111
kind: signature
112-
hmac: da6a96c077ec55ccfb27ec8a3250eeb0700153078adf088dc70998b2cd033b28
112+
hmac: e6d1a0d62ad4f5b0b8bed33c248e55e6de60ee9c1601ee5395fe5d5e72942e85

install/hst-install-debian.sh

Lines changed: 16 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -686,45 +686,49 @@ fi
686686
# Define apt conf location
687687
apt=/etc/apt/sources.list.d
688688

689+
#create new folder if not all-ready exists
690+
mkdir /root/.gnupg/
691+
chmod 600 /root/.gnupg/
692+
689693
# Updating system
690694
echo "Adding required repositories to proceed with installation:"
691695
echo
692696

693697
# Installing Nginx repo
694698

695699
echo "[ * ] NGINX"
696-
echo "deb [arch=$ARCH] https://nginx.org/packages/mainline/$VERSION/ $codename nginx" > $apt/nginx.list
697-
apt-key adv --fetch-keys 'https://nginx.org/keys/nginx_signing.key' > /dev/null 2>&1
700+
echo "deb [arch=$ARCH signed-by=/usr/share/keyrings/nginx-keyring.gpg] https://nginx.org/packages/mainline/$VERSION/ $codename nginx" > $apt/nginx.list
701+
curl -s https://nginx.org/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-keyring.gpg >/dev/null 2>&1
698702

699703
# Installing sury PHP repo
700704
echo "[ * ] PHP"
701-
echo "deb https://packages.sury.org/php/ $codename main" > $apt/php.list
702-
apt-key adv --fetch-keys 'https://packages.sury.org/php/apt.gpg' > /dev/null 2>&1
705+
echo "deb [arch=$ARCH signed-by=/usr/share/keyrings/sury-keyring.gpg] https://packages.sury.org/php/ $codename main" > $apt/php.list
706+
curl -s https://packages.sury.org/php/apt.gpg | gpg --dearmor | tee /usr/share/keyrings/sury-keyring.gpg >/dev/null 2>&1
703707

704708
# Installing sury Apache2 repo
705709
if [ "$apache" = 'yes' ]; then
706710
echo "[ * ] Apache2"
707-
echo "deb https://packages.sury.org/apache2/ $codename main" > $apt/apache2.list
708-
apt-key adv --fetch-keys 'https://packages.sury.org/apache2/apt.gpg' > /dev/null 2>&1
711+
echo "deb [arch=$ARCH signed-by=/usr/share/keyrings/apache2-keyring.gpg] https://packages.sury.org/apache2/ $codename main" > $apt/apache2.list
712+
curl -s https://packages.sury.org/apache2/apt.gpg | gpg --dearmor | tee /usr/share/keyrings/apache2-keyring.gpg >/dev/null 2>&1
709713
fi
710714

711715
# Installing MariaDB repo
712716
if [ "$mysql" = 'yes' ]; then
713717
echo "[ * ] MariaDB"
714-
echo "deb [arch=$ARCH] https://mirror.mva-n.net/mariadb/repo/$mariadb_v/$VERSION $codename main" > $apt/mariadb.list
715-
apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc' > /dev/null 2>&1
718+
echo "deb [arch=$ARCH signed-by=/usr/share/keyrings/mariadb-keyring.gpg] https://mirror.mva-n.net/mariadb/repo/$mariadb_v/$VERSION $codename main" > $apt/mariadb.list
719+
curl -s https://mariadb.org/mariadb_release_signing_key.asc | gpg --dearmor | tee /usr/share/keyrings/mariadb-keyring.gpg >/dev/null 2>&1
716720
fi
717721

718722
# Installing HestiaCP repo
719723
echo "[ * ] Hestia Control Panel"
720-
echo "deb [arch=$ARCH] https://$RHOST/ $codename main" > $apt/hestia.list
721-
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A189E93654F0B0E5 > /dev/null 2>&1
724+
echo "deb [arch=$ARCH signed-by=/usr/share/keyrings/hestia-keyring.gpg] https://$RHOST/ $codename main" > $apt/hestia.list
725+
gpg --no-default-keyring --keyring /usr/share/keyrings/hestia-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys A189E93654F0B0E5 >/dev/null 2>&1
722726

723727
# Installing PostgreSQL repo
724728
if [ "$postgresql" = 'yes' ]; then
725729
echo "[ * ] PostgreSQL"
726-
echo "deb [arch=$ARCH] https://apt.postgresql.org/pub/repos/apt/ $codename-pgdg main" > $apt/postgresql.list
727-
apt-key adv --fetch-keys 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' > /dev/null 2>&1
730+
echo "deb [arch=$ARCH signed-by=/usr/share/keyrings/postgresql-keyring.gpg] https://apt.postgresql.org/pub/repos/apt/ $codename-pgdg main" > $apt/postgresql.list
731+
curl -s https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | tee /usr/share/keyrings/postgresql-keyring.gpg >/dev/null 2>&1
728732
fi
729733

730734
# Echo for a new line

install/hst-install-ubuntu.sh

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -665,9 +665,10 @@ echo
665665
# Installing Nginx repo
666666

667667
echo "[ * ] NGINX"
668-
echo "deb [arch=$ARCH] https://nginx.org/packages/mainline/$VERSION/ $codename nginx" > $apt/nginx.list
669-
apt-key adv --fetch-keys 'https://nginx.org/keys/nginx_signing.key' > /dev/null 2>&1
668+
echo "deb [arch=$ARCH signed-by=/usr/share/keyrings/nginx-keyring.gpg] https://nginx.org/packages/mainline/$VERSION/ $codename nginx" > $apt/nginx.list
669+
curl -s https://nginx.org/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-keyring.gpg >/dev/null 2>&1
670670

671+
#add-apt-repository does not support it yet see #https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1862764
671672
# Installing sury PHP repo
672673
echo "[ * ] PHP"
673674
LC_ALL=C.UTF-8 add-apt-repository -y ppa:ondrej/php > /dev/null 2>&1
@@ -681,20 +682,20 @@ fi
681682
# Installing MariaDB repo
682683
if [ "$mysql" = 'yes' ]; then
683684
echo "[ * ] MariaDB"
684-
echo "deb [arch=$ARCH] https://mirror.mva-n.net/mariadb/repo/$mariadb_v/$VERSION $codename main" > $apt/mariadb.list
685-
apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc' > /dev/null 2>&1
685+
echo "deb [arch=$ARCH signed-by=/usr/share/keyrings/mariadb-keyring.gpg] https://mirror.mva-n.net/mariadb/repo/$mariadb_v/$VERSION $codename main" > $apt/mariadb.list
686+
curl -s https://mariadb.org/mariadb_release_signing_key.asc | gpg --dearmor | tee /usr/share/keyrings/mariadb-keyring.gpg >/dev/null 2>&1
686687
fi
687688

688689
# Installing HestiaCP repo
689690
echo "[ * ] Hestia Control Panel"
690-
echo "deb [arch=$ARCH] https://$RHOST/ $codename main" > $apt/hestia.list
691-
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A189E93654F0B0E5 > /dev/null 2>&1
691+
echo "deb [arch=$ARCH signed-by=/usr/share/keyrings/hestia-keyring.gpg] https://$RHOST/ $codename main" > $apt/hestia.list
692+
gpg --no-default-keyring --keyring /usr/share/keyrings/hestia-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys A189E93654F0B0E5 >/dev/null 2>&1
692693

693694
# Installing PostgreSQL repo
694695
if [ "$postgresql" = 'yes' ]; then
695696
echo "[ * ] PostgreSQL"
696-
echo "deb [arch=$ARCH] https://apt.postgresql.org/pub/repos/apt/ $codename-pgdg main" > $apt/postgresql.list
697-
apt-key adv --fetch-keys 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' > /dev/null 2>&1
697+
echo "deb [arch=$ARCH signed-by=/usr/share/keyrings/postgresql-keyring.gpg] https://apt.postgresql.org/pub/repos/apt/ $codename-pgdg main" > $apt/postgresql.list
698+
curl -s https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | tee /usr/share/keyrings/postgresql-keyring.gpg >/dev/null 2>&1
698699
fi
699700

700701
# Echo for a new line

install/upgrade/versions/1.5.2.sh

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,4 +19,5 @@ upgrade_config_set_value 'UPGRADE_UPDATE_WEB_TEMPLATES' 'true'
1919
upgrade_config_set_value 'UPGRADE_UPDATE_DNS_TEMPLATES' 'false'
2020
upgrade_config_set_value 'UPGRADE_UPDATE_MAIL_TEMPLATES' 'true'
2121
upgrade_config_set_value 'UPGRADE_REBUILD_USERS' 'true'
22-
upgrade_config_set_value 'UPGRADE_UPDATE_FILEMANAGER_CONFIG' 'false'
22+
upgrade_config_set_value 'UPGRADE_UPDATE_FILEMANAGER_CONFIG' 'false'
23+

install/upgrade/versions/1.5.3.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,4 +19,4 @@ upgrade_config_set_value 'UPGRADE_UPDATE_WEB_TEMPLATES' 'false'
1919
upgrade_config_set_value 'UPGRADE_UPDATE_DNS_TEMPLATES' 'false'
2020
upgrade_config_set_value 'UPGRADE_UPDATE_MAIL_TEMPLATES' 'false'
2121
upgrade_config_set_value 'UPGRADE_REBUILD_USERS' 'true'
22-
upgrade_config_set_value 'UPGRADE_UPDATE_FILEMANAGER_CONFIG' 'false'
22+
upgrade_config_set_value 'UPGRADE_UPDATE_FILEMANAGER_CONFIG' 'false'

install/upgrade/versions/1.5.5.sh

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,3 +26,70 @@ for version in /etc/php/*/fpm/php-fpm.conf; do
2626
cp -f $HESTIA_INSTALL_DIR/php-fpm/php-fpm.conf /etc/php/$version/fpm/
2727
sed -i "s/fpm_v/$version/g" /etc/php/$version/fpm/php-fpm.conf
2828
done
29+
30+
echo "[ * ] Updating apt keyring configuration..."
31+
32+
if [ ! -f "/usr/share/keyrings/nginx-keyring.gpg" ]; then
33+
# Get Architecture
34+
architecture="$(uname -m)"
35+
case $architecture in
36+
x86_64)
37+
ARCH="amd64"
38+
;;
39+
aarch64)
40+
ARCH="arm64"
41+
;;
42+
*)
43+
echo "Not supported"
44+
esac
45+
46+
#Get OS details
47+
os=$(grep "^ID=" /etc/os-release | cut -f 2 -d '=')
48+
codename="$(lsb_release -s -c)"
49+
release="$(lsb_release -s -r)"
50+
mariadb_v=`mysql -V | awk 'NR==1{print $5}' | head -c 4`
51+
RHOST='apt.hestiacp.com'
52+
53+
apt="/etc/apt/sources.list.d"
54+
55+
if [ -f "$apt/nginx.list" ]; then
56+
rm $apt/nginx.list
57+
echo " [ * ] NGINX"
58+
echo "deb [arch=$ARCH signed-by=/usr/share/keyrings/nginx-keyring.gpg] https://nginx.org/packages/mainline/$os/ $codename nginx" > $apt/nginx.list
59+
curl -s https://nginx.org/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-keyring.gpg >/dev/null 2>&1
60+
fi
61+
if [ "$os" = "debian" ]; then
62+
if [ -f "$apt/php.list" ]; then
63+
rm $apt/php.list
64+
echo " [ * ] PHP"
65+
echo "deb [arch=$ARCH signed-by=/usr/share/keyrings/sury-keyring.gpg] https://packages.sury.org/php/ $codename main" > $apt/php.list
66+
curl -s https://packages.sury.org/php/apt.gpg | gpg --dearmor | tee /usr/share/keyrings/sury-keyring.gpg >/dev/null 2>&1
67+
fi
68+
if [ -f "$apt/apache2.list" ]; then
69+
rm $apt/apache2.list
70+
echo " [ * ] Apache2"
71+
echo "deb [arch=$ARCH signed-by=/usr/share/keyrings/apache2-keyring.gpg] https://packages.sury.org/apache2/ $codename main" > $apt/apache2.list
72+
curl -s https://packages.sury.org/apache2/apt.gpg | gpg --dearmor | tee /usr/share/keyrings/apache2-keyring.gpg >/dev/null 2>&1
73+
fi
74+
fi
75+
if [ -f "$apt/mariadb.list" ]; then
76+
rm $apt/mariadb.list
77+
echo " [ * ] MariaDB"
78+
echo "deb [arch=$ARCH signed-by=/usr/share/keyrings/mariadb-keyring.gpg] https://mirror.mva-n.net/mariadb/repo/$mariadb_v/$os $codename main" > $apt/mariadb.list
79+
curl -s https://mariadb.org/mariadb_release_signing_key.asc | gpg --dearmor | tee /usr/share/keyrings/mariadb-keyring.gpg >/dev/null 2>&1
80+
fi
81+
if [ -f "$apt/hestia.list" ]; then
82+
rm $apt/hestia.list
83+
echo " [ * ] Hestia"
84+
echo "deb [arch=$ARCH signed-by=/usr/share/keyrings/hestia-keyring.gpg] https://$RHOST/ $codename main" > $apt/hestia.list
85+
gpg --no-default-keyring --keyring /usr/share/keyrings/hestia-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys A189E93654F0B0E5 >/dev/null 2>&1
86+
apt-key del A189E93654F0B0E5 >/dev/null 2>&1
87+
fi
88+
if [ -f "$apt/postgresql.list" ]; then
89+
rm $apt/postgresql.list
90+
echo "[ * ] PostgreSQL"
91+
echo "deb [arch=$ARCH signed-by=/usr/share/keyrings/postgresql-keyring.gpg] https://apt.postgresql.org/pub/repos/apt/ $codename-pgdg main" > $apt/postgresql.list
92+
curl -s https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | tee /usr/share/keyrings/postgresql-keyring.gpg >/dev/null 2>&1
93+
fi
94+
95+
fi

0 commit comments

Comments
 (0)