Merge branch 'fix/2020-07_rework-repo' into staging/fixes

Author: Kristan Kenney

CHANGELOG.md

@@ -15,7 +15,8 @@ All notable changes to this project will be documented in this file.
 - Fixed an issue where malformed JSON output was returned when custom theme files are present. (#967)
 - Fixed an error that would occur when running `v-change-user-php-cli` for the first time if .bash_aliases did not exist. (#960)
 - Corrected an issue where tooltips were not displayed when hovering over the top level menu items.
- 
+- Improved handling of APT repository keys during installation.
+
 ## [1.2.1] - Service Release 1
 ### Features
 - Consolidated First and Last Name fields to a singular name field to simply input.

install/hst-install-debian.sh

@@ -586,53 +586,39 @@ echo
 # Installing Nginx repo
 if [ "$nginx" = 'yes' ]; then
     echo "[ * ] NGINX"
-    echo "deb [arch=amd64] http://nginx.org/packages/mainline/$VERSION/ $codename nginx" > $apt/nginx.list
-    wget --quiet http://nginx.org/keys/nginx_signing.key -O /tmp/nginx_signing.key
-    APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key add /tmp/nginx_signing.key > /dev/null 2>&1
+    echo "deb [arch=amd64] https://nginx.org/packages/mainline/$VERSION/ $codename nginx" > $apt/nginx.list
+    apt-key adv --fetch-keys 'https://nginx.org/keys/nginx_signing.key' > /dev/null 2>&1
 fi
 
 # Installing sury PHP repo
 echo "[ * ] PHP"
 echo "deb https://packages.sury.org/php/ $codename main" > $apt/php.list
-wget --quiet https://packages.sury.org/php/apt.gpg -O /tmp/php_signing.key
-APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key add /tmp/php_signing.key > /dev/null 2>&1
+apt-key adv --fetch-keys 'https://packages.sury.org/php/apt.gpg' > /dev/null 2>&1
 
 # Installing sury Apache2 repo
 if [ "$apache" = 'yes' ]; then
     echo "[ * ] Apache2"
     echo "deb https://packages.sury.org/apache2/ $codename main" > $apt/apache2.list
-    wget --quiet https://packages.sury.org/apache2/apt.gpg -O /tmp/apache2_signing.key
-    APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key add /tmp/apache2_signing.key > /dev/null 2>&1
+    apt-key adv --fetch-keys 'https://packages.sury.org/apache2/apt.gpg' > /dev/null 2>&1
 fi
 
 # Installing MariaDB repo
 if [ "$mysql" = 'yes' ]; then
     echo "[ * ] MariaDB"
-    echo "deb [arch=amd64] http://ams2.mirrors.digitalocean.com/mariadb/repo/$mariadb_v/$VERSION $codename main" > $apt/mariadb.list
-    if [ "$release" -eq 8 ]; then
-        APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key adv --recv-keys --keyserver keyserver.ubuntu.com CBCB082A1BB943DB > /dev/null 2>&1
-    else
-        APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key adv --recv-keys --keyserver keyserver.ubuntu.com F1656F24C74CD1D8 > /dev/null 2>&1
-    fi
-fi
-
-# Installing Backport repo for Debian 8
-if [ "$release" -eq 8 ]; then
-    echo "deb [check-valid-until=no] http://archive.debian.org/debian jessie-backports main" >> /etc/apt/sources.list
+    echo "deb [arch=amd64] https://mirror.mva-n.net/mariadb/repo/$mariadb_v/$VERSION $codename main" > $apt/mariadb.list
+    apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc' > /dev/null 2>&1
 fi
 
 # Installing HestiaCP repo
 echo "[ * ] Hestia Control Panel"
 echo "deb https://$RHOST/ $codename main" > $apt/hestia.list
-APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A189E93654F0B0E5 > /dev/null 2>&1
+apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A189E93654F0B0E5 > /dev/null 2>&1
 
 # Installing PostgreSQL repo
 if [ "$postgresql" = 'yes' ]; then
     echo "[ * ] PostgreSQL"
-    echo "deb http://apt.postgresql.org/pub/repos/apt/ $codename-pgdg main" > $apt/postgresql.list
-    wget --quiet https://www.postgresql.org/media/keys/ACCC4CF8.asc -O /tmp/psql_signing.key
-    APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key add /tmp/psql_signing.key > /dev/null 2>&1
-    rm /tmp/psql_signing.key
+    echo "deb https://apt.postgresql.org/pub/repos/apt/ $codename-pgdg main" > $apt/postgresql.list
+    apt-key adv --fetch-keys 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' > /dev/null 2>&1
 fi
 
 # Echo for a new line
@@ -1587,31 +1573,6 @@ if [ "$dovecot" = 'yes' ] && [ "$exim" = 'yes' ] && [ "$mysql" = 'yes' ]; then
     sed -i "s/%des_key%/$rcDesKey/g" /etc/roundcube/config.inc.php
     sed -i "s/localhost/$servername/g" /etc/roundcube/plugins/password/config.inc.php
     mysql roundcube < /usr/share/dbconfig-common/data/roundcube/install/mysql
-
-    if [ "$release" -eq 8 ]; then
-        # RoundCube tinyMCE fix
-        tinymceFixArchiveURL=$HESTIA_INSTALL_DIR/roundcube/roundcube-tinymce.tar.gz
-        tinymceParentFolder=/usr/share/roundcube/program/js
-        tinymceFolder=$tinymceParentFolder/tinymce
-        tinymceBadJS=$tinymceFolder/tiny_mce.js
-        tinymceFixArchive=$tinymceParentFolder/roundcube-tinymce.tar.gz
-        if [[ -L "$tinymceFolder" && -d "$tinymceFolder" ]]; then
-            if [ -f "$tinymceBadJS" ]; then
-                wget $tinymceFixArchiveURL -O $tinymceFixArchive
-                if [[ -f "$tinymceFixArchive" && -s "$tinymceFixArchive" ]]
-                then
-                    rm $tinymceFolder
-                    tar -xzf $tinymceFixArchive -C $tinymceParentFolder
-                    rm $tinymceFixArchive
-                    chown -R root:root $tinymceFolder
-                else
-                    echo -n "File roundcube-tinymce.tar.gz is not downloaded,"
-                    echo "RoundCube tinyMCE fix is not applied"
-                    rm $tinymceFixArchive
-                fi
-            fi
-        fi
-    fi
 
     # Enable Roundcube plugins
     cp -f $HESTIA_INSTALL_DIR/roundcube/plugins/config_newmail_notifier.inc.php /etc/roundcube/plugins/newmail_notifier/config.inc.php

install/hst-install-ubuntu.sh

@@ -561,10 +561,8 @@ echo
 # Installing Nginx repo
 if [ "$nginx" = 'yes' ]; then
     echo "[ * ] NGINX"
-    echo "deb [arch=amd64] http://nginx.org/packages/mainline/$VERSION/ $codename nginx" \
-    > $apt/nginx.list
-    wget --quiet http://nginx.org/keys/nginx_signing.key -O /tmp/nginx_signing.key
-    APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key add /tmp/nginx_signing.key > /dev/null 2>&1
+    echo "deb [arch=amd64] https://nginx.org/packages/mainline/$VERSION/ $codename nginx" > $apt/nginx.list
+    apt-key adv --fetch-keys 'https://nginx.org/keys/nginx_signing.key' > /dev/null 2>&1
 fi
 
 # Installing sury PHP repo
@@ -580,22 +578,20 @@ fi
 # Installing MariaDB repo
 if [ "$mysql" = 'yes' ]; then
     echo "[ * ] MariaDB"
-    echo "deb [arch=amd64] http://ams2.mirrors.digitalocean.com/mariadb/repo/$mariadb_v/$VERSION $codename main" > $apt/mariadb.list
-    APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xF1656F24C74CD1D8 > /dev/null 2>&1
+    echo "deb [arch=amd64] https://mirror.mva-n.net/mariadb/repo/$mariadb_v/$VERSION $codename main" > $apt/mariadb.list
+    apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc' > /dev/null 2>&1
 fi
 
 # Installing HestiaCP repo
 echo "[ * ] Hestia Control Panel"
 echo "deb https://$RHOST/ $codename main" > $apt/hestia.list
-APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A189E93654F0B0E5 > /dev/null 2>&1
+apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A189E93654F0B0E5 > /dev/null 2>&1
 
 # Installing PostgreSQL repo
 if [ "$postgresql" = 'yes' ]; then
     echo "[ * ] PostgreSQL"
-    echo "deb http://apt.postgresql.org/pub/repos/apt/ $codename-pgdg main" > $apt/postgresql.list
-    wget --quiet https://www.postgresql.org/media/keys/ACCC4CF8.asc -O /tmp/psql_signing.key
-    APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key add /tmp/psql_signing.key > /dev/null 2>&1
-    rm /tmp/psql_signing.key
+    echo "deb https://apt.postgresql.org/pub/repos/apt/ $codename-pgdg main" > $apt/postgresql.list
+    apt-key adv --fetch-keys 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' > /dev/null 2>&1
 fi
 
 # Echo for a new line

install/upgrade/versions/latest.sh

@@ -14,4 +14,36 @@ $BIN/v-update-web-templates
 echo "[ ! ] Updating default mail domain templates..."
 $BIN/v-update-mail-templates
 echo "[ ! ] Updating default DNS zone templates..."
-$BIN/v-update-dns-templates
+$BIN/v-update-dns-templates
+
+# Rework apt repositories
+apt="/etc/apt/sources.list.d"
+echo "[*] Hardening apt repositories..."
+
+if [ -f "$apt/nginx.list" ]; then
+    if grep -q "http://nginx.org/packages/mainline/" $apt/nginx.list; then
+        echo "    [ * ] NGINX"
+        sed -i "s/http\:\/\/nginx.org/https\:\/\/nginx.org/g" $apt/nginx.list
+    fi
+fi
+
+if [ -f "$apt/php.list" ]; then
+    if grep -q "http://packages.sury.org/" $apt/php.list; then
+        echo "    [ * ] PHP"
+        sed -i "s/http\:\/\/packages.sury.org/https\:\/\/packages.sury.org/g" $apt/php.list
+    fi
+fi
+
+if [ -f "$apt/mariadb.list" ]; then
+    if grep -q "http://ams2.mirrors.digitalocean.com" $apt/mariadb.list; then
+        echo "    [ * ] MariaDB"
+        sed -i "s/http\:\/\/ams2.mirrors.digitalocean.com/https\:\/\/mirror.mva-n.net/g" $apt/mariadb.list
+    fi
+fi
+
+if [ -f "$apt/postgresql.list" ]; then
+    if grep -q "http://apt.postgresql.org" $apt/postgresql.list; then
+        echo "    [ * ] PostgreSQL"
+        sed -i "s/http\:\/\/apt.postgresql.org/https\:\/\/apt.postgresql.org/g" $apt/postgresql.list
+    fi
+fi