From 9601ff7db8fc102bfa6b707cfbc702cedb848dcc Mon Sep 17 00:00:00 2001
From: demonspork <demonspork@gmail.com>
Date: Wed, 3 Jan 2024 10:53:16 -0600
Subject: [PATCH] Improve apt key security and always install sngrep from
 official (#416)

* Improve apt key security and always install sngrep from official

* Correct PHP GPG key file path
---
 debian/resources/php.sh                    | 30 +++++++++++-----------
 debian/resources/postgresql.sh             |  6 ++---
 debian/resources/sngrep.sh                 |  6 ++---
 debian/resources/switch/package-release.sh |  6 ++---
 debian/resources/switch/repo.sh            |  6 ++---
 debian/resources/upgrade/php.sh            |  8 +++---
 devuan/resources/switch/package-release.sh |  6 ++---
 ubuntu/resources/postgresql.sh             |  4 +--
 8 files changed, 35 insertions(+), 37 deletions(-)

diff --git a/debian/resources/php.sh b/debian/resources/php.sh
index 92891e8..196af60 100755
--- a/debian/resources/php.sh
+++ b/debian/resources/php.sh
@@ -39,41 +39,41 @@ else
 	apt-get -y install apt-transport-https lsb-release ca-certificates
 
 	if [ ."$os_codename" = ."jessie" ]; then
-		wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
-		sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
+		wget -O - https://packages.sury.org/php/apt.gpg | gpg --dearmor -o /etc/apt/keyrings/php.gpg
+		sh -c 'echo "deb [signed-by=/etc/apt/keyrings/php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
 	fi
 	if [ ."$os_codename" = ."stretch" ]; then
-		wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
-		sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
+		wget -O - https://packages.sury.org/php/apt.gpg | gpg --dearmor -o /etc/apt/keyrings/php.gpg
+		sh -c 'echo "deb [signed-by=/etc/apt/keyrings/php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
 	fi
 	if [ ."$os_codename" = ."buster" ]; then
-		wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
+		wget -O - https://packages.sury.org/php/apt.gpg | gpg --dearmor -o /etc/apt/keyrings/php.gpg
 		sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
 	fi
 	if [ ."$os_codename" = ."bullseye" ]; then
 		if [ ."$php_version" = ."8.1" ]; then
 			/usr/bin/apt -y install apt-transport-https lsb-release ca-certificates curl wget gnupg2
-			/usr/bin/wget -qO- https://packages.sury.org/php/apt.gpg | gpg --dearmor > /etc/apt/trusted.gpg.d/sury-php-8.x.gpg
-			/usr/bin/sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
+			/usr/bin/wget -qO- https://packages.sury.org/php/apt.gpg | gpg --dearmor > /etc/apt/keyrings/sury-php-8.x.gpg
+			/usr/bin/sh -c 'echo "deb [signed-by=/etc/apt/keyrings/php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
 		fi
 		if [ ."$php_version" = ."8.2" ]; then
 			/usr/bin/apt -y install apt-transport-https lsb-release ca-certificates curl wget gnupg2
-			/usr/bin/wget -qO- https://packages.sury.org/php/apt.gpg | gpg --dearmor > /etc/apt/trusted.gpg.d/sury-php-8.x.gpg
-			/usr/bin/sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
+			/usr/bin/wget -qO- https://packages.sury.org/php/apt.gpg | gpg --dearmor > /etc/apt/keyrings/sury-php-8.x.gpg
+			/usr/bin/sh -c 'echo "deb [signed-by=/etc/apt/keyrings/php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
 		fi
 	fi
  	if [ ."$os_codename" = ."bookworm" ]; then
 		if [ ."$php_version" = ."8.1" ]; then
 			/usr/bin/apt -y install apt-transport-https lsb-release ca-certificates curl wget gnupg2
-			/usr/bin/wget -qO- https://packages.sury.org/php/apt.gpg | gpg --dearmor > /etc/apt/trusted.gpg.d/sury-php-8.x.gpg
-   			/usr/bin/chmod 644 /etc/apt/trusted.gpg.d/sury-php-8.x.gpg
-			/usr/bin/sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
+			/usr/bin/wget -qO- https://packages.sury.org/php/apt.gpg | gpg --dearmor > /etc/apt/keyrings/sury-php-8.x.gpg
+   			/usr/bin/chmod 644 /etc/apt/keyrings/sury-php-8.x.gpg
+			/usr/bin/sh -c 'echo "deb [signed-by=/etc/apt/keyrings/sury-php-8.x.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
 		fi
 		if [ ."$php_version" = ."8.2" ]; then
 			/usr/bin/apt -y install apt-transport-https lsb-release ca-certificates curl wget gnupg2
-			/usr/bin/wget -qO- https://packages.sury.org/php/apt.gpg | gpg --dearmor > /etc/apt/trusted.gpg.d/sury-php-8.x.gpg
-   			/usr/bin/chmod 644 /etc/apt/trusted.gpg.d/sury-php-8.x.gpg
-			/usr/bin/sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
+			/usr/bin/wget -qO- https://packages.sury.org/php/apt.gpg | gpg --dearmor > /etc/apt/keyrings/sury-php-8.x.gpg
+   			/usr/bin/chmod 644 /etc/apt/keyrings/sury-php-8.x.gpg
+			/usr/bin/sh -c 'echo "deb [signed-by=/etc/apt/keyrings/sury-php-8.x.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
 		fi
 	fi
 fi
diff --git a/debian/resources/postgresql.sh b/debian/resources/postgresql.sh
index 840e756..dcc9ec6 100755
--- a/debian/resources/postgresql.sh
+++ b/debian/resources/postgresql.sh
@@ -28,9 +28,9 @@ fi
 
 #postgres official repository
 if [ ."$database_repo" = ."official" ]; then
-	sh -c 'echo "deb [signed-by=/etc/apt/trusted.gpg.d/pgdg.gpg] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
-	wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor -o /etc/apt/trusted.gpg.d/pgdg.gpg
-	chmod 644 /etc/apt/trusted.gpg.d/pgdg.gpg
+	sh -c 'echo "deb [signed-by=/etc/apt/keyrings/pgdg.gpg] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
+	wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor -o /etc/apt/keyrings/pgdg.gpg
+	chmod 644 /etc/apt/keyrings/pgdg.gpg
 	apt-get update && apt-get upgrade -y
 	if [ ."$database_host" = ."127.0.0.1" ] || [ ."$database_host" = ."::1" ] ; then
 		if [ ."$database_version" = ."latest" ]; then
diff --git a/debian/resources/sngrep.sh b/debian/resources/sngrep.sh
index 94c887e..e034339 100755
--- a/debian/resources/sngrep.sh
+++ b/debian/resources/sngrep.sh
@@ -18,10 +18,8 @@ if [ ."$cpu_architecture" = ."arm" ]; then
 	cd /usr/src/sngrep && make install
 else
 	#package install
-	if [ ."$os_codename" = ."jessie" ]; then
-		echo "deb http://packages.irontec.com/debian $os_codename main" > /etc/apt/sources.list.d/sngrep.list
-		wget http://packages.irontec.com/public.key -q -O - | apt-key add -
-	fi
+	echo "deb [signed-by=/etc/apt/keyrings/irontec.gpg] http://packages.irontec.com/debian $os_codename main" > /etc/apt/sources.list.d/sngrep.list
+	wget http://packages.irontec.com/public.key -q -O - | gpg --dearmor -o /etc/apt/keyrings/irontec.gpg
 	apt-get update
 	apt-get install -y sngrep
 fi
diff --git a/debian/resources/switch/package-release.sh b/debian/resources/switch/package-release.sh
index 0e3ea07..310be90 100755
--- a/debian/resources/switch/package-release.sh
+++ b/debian/resources/switch/package-release.sh
@@ -19,10 +19,10 @@ if [ ."$cpu_architecture" = ."x86" ]; then
 	echo "deb-src [signed-by=/usr/share/keyrings/signalwire-freeswitch-repo.gpg] https://freeswitch.signalwire.com/repo/deb/debian-release/ `lsb_release -sc` main" >> /etc/apt/sources.list.d/freeswitch.list
 fi
 if [ ."$cpu_architecture" = ."arm" ]; then
-	wget --http-user=signalwire --http-password=$switch_token -O - https://freeswitch.signalwire.com/repo/deb/rpi/debian-release/freeswitch_archive_g0.pub | apt-key add -
+	wget --http-user=signalwire --http-password=$switch_token -O /usr/share/keyrings/signalwire-freeswitch-repo.gpg https://freeswitch.signalwire.com/repo/deb/rpi/debian-release/freeswitch_archive_g0.pub
 	echo "machine freeswitch.signalwire.com login signalwire password $switch_token" > /etc/apt/auth.conf
-	echo "deb https://freeswitch.signalwire.com/repo/deb/rpi/debian-release/ `lsb_release -sc` main" > /etc/apt/sources.list.d/freeswitch.list
-	echo "deb-src https://freeswitch.signalwire.com/repo/deb/rpi/debian-release/ `lsb_release -sc` main" >> /etc/apt/sources.list.d/freeswitch.list
+	echo "deb [signed-by=/etc/apt/keyrings/signalwire-freeswitch-repo.gpg] https://freeswitch.signalwire.com/repo/deb/rpi/debian-release/ `lsb_release -sc` main" > /etc/apt/sources.list.d/freeswitch.list
+	echo "deb-src [signed-by=/etc/apt/keyrings/signalwire-freeswitch-repo.gpg] https://freeswitch.signalwire.com/repo/deb/rpi/debian-release/ `lsb_release -sc` main" >> /etc/apt/sources.list.d/freeswitch.list
 fi
 
 apt-get update
diff --git a/debian/resources/switch/repo.sh b/debian/resources/switch/repo.sh
index d58f7be..5220c95 100755
--- a/debian/resources/switch/repo.sh
+++ b/debian/resources/switch/repo.sh
@@ -19,7 +19,7 @@ if [ ."$cpu_architecture" = ."x86" ]; then
 	echo "deb-src [signed-by=/usr/share/keyrings/signalwire-freeswitch-repo.gpg] https://freeswitch.signalwire.com/repo/deb/debian-release/ `lsb_release -sc` main" >> /etc/apt/sources.list.d/freeswitch.list
 fi
 if [ ."$cpu_architecture" = ."arm" ]; then
-	wget -O - https://files.freeswitch.org/repo/deb/rpi/debian-release/freeswitch_archive_g0.pub | apt-key add -
-	echo "deb http://files.freeswitch.org/repo/deb/rpi/debian-release/ `lsb_release -sc` main" > /etc/apt/sources.list.d/freeswitch.list
-	echo "deb-src http://files.freeswitch.org/repo/deb/rpi/debian-release/ `lsb_release -sc` main" >> /etc/apt/sources.list.d/freeswitch.list
+	wget --http-user=signalwire --http-password=$switch_token -O /usr/share/keyrings/signalwire-freeswitch-repo.gpg https://files.freeswitch.org/repo/deb/rpi/debian-release/freeswitch_archive_g0.pub
+	echo "deb [signed-by=/usr/share/keyrings/signalwire-freeswitch-repo.gpg] http://files.freeswitch.org/repo/deb/rpi/debian-release/ `lsb_release -sc` main" > /etc/apt/sources.list.d/freeswitch.list
+	echo "deb-src [signed-by=/usr/share/keyrings/signalwire-freeswitch-repo.gpg] http://files.freeswitch.org/repo/deb/rpi/debian-release/ `lsb_release -sc` main" >> /etc/apt/sources.list.d/freeswitch.list
 fi
diff --git a/debian/resources/upgrade/php.sh b/debian/resources/upgrade/php.sh
index 2598f66..0536ec9 100755
--- a/debian/resources/upgrade/php.sh
+++ b/debian/resources/upgrade/php.sh
@@ -34,8 +34,8 @@ cd "$(dirname "$0")"
 if [ ."$php_version" = ."8.2" ]; then
 	#add a repo for php 8.x
 	/usr/bin/apt -y install apt-transport-https lsb-release ca-certificates curl wget gnupg2
-	/usr/bin/wget -qO- https://packages.sury.org/php/apt.gpg | gpg --dearmor > /etc/apt/trusted.gpg.d/sury-php-8.x.gpg
-	/usr/bin/sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
+	/usr/bin/wget -qO- https://packages.sury.org/php/apt.gpg | gpg --dearmor > /etc/apt/keyrings/sury-php-8.x.gpg
+	/usr/bin/sh -c 'echo "deb [signed-by=/etc/apt/keyrings/php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
 	/usr/bin/apt-get update
 
 	#install php 8.2
@@ -50,8 +50,8 @@ fi
 if [ ."$php_version" = ."8.1" ]; then
 	#add a repo for php 7.x
 	/usr/bin/apt -y install apt-transport-https lsb-release ca-certificates curl wget gnupg2
-	/usr/bin/wget -qO- https://packages.sury.org/php/apt.gpg | gpg --dearmor > /etc/apt/trusted.gpg.d/sury-php-8.x.gpg
-	/usr/bin/sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
+	/usr/bin/wget -qO- https://packages.sury.org/php/apt.gpg | gpg --dearmor > /etc/apt/keyrings/sury-php-8.x.gpg
+	/usr/bin/sh -c 'echo "deb [signed-by=/etc/apt/keyrings/php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
 	/usr/bin/apt-get update
 
 	#install php 8.1
diff --git a/devuan/resources/switch/package-release.sh b/devuan/resources/switch/package-release.sh
index 7209dbb..a2a744f 100755
--- a/devuan/resources/switch/package-release.sh
+++ b/devuan/resources/switch/package-release.sh
@@ -19,10 +19,10 @@ if [ ."$cpu_architecture" = ."x86" ]; then
 	echo "deb-src [signed-by=/usr/share/keyrings/signalwire-freeswitch-repo.gpg] https://freeswitch.signalwire.com/repo/deb/debian-release/ ${os_codename_debian} main" >> /etc/apt/sources.list.d/freeswitch.list
 fi
 if [ ."$cpu_architecture" = ."arm" ]; then
-	wget --http-user=signalwire --http-password=$switch_token -O - https://freeswitch.signalwire.com/repo/deb/rpi/debian-release/freeswitch_archive_g0.pub | apt-key add -
+	wget --http-user=signalwire --http-password=$switch_token -O /usr/share/keyrings/signalwire-freeswitch-repo.gpg https://freeswitch.signalwire.com/repo/deb/rpi/debian-release/freeswitch_archive_g0.pub
 	echo "machine freeswitch.signalwire.com login signalwire password $switch_token" > /etc/apt/auth.conf
-	echo "deb https://freeswitch.signalwire.com/repo/deb/rpi/debian-release/ ${os_codename_debian} main" > /etc/apt/sources.list.d/freeswitch.list
-	echo "deb-src https://freeswitch.signalwire.com/repo/deb/rpi/debian-release/ ${os_codename_debian} main" >> /etc/apt/sources.list.d/freeswitch.list
+	echo "deb [signed-by=/usr/share/keyrings/signalwire-freeswitch-repo.gpg] https://freeswitch.signalwire.com/repo/deb/rpi/debian-release/ ${os_codename_debian} main" > /etc/apt/sources.list.d/freeswitch.list
+	echo "deb-src [signed-by=/usr/share/keyrings/signalwire-freeswitch-repo.gpg] https://freeswitch.signalwire.com/repo/deb/rpi/debian-release/ ${os_codename_debian} main" >> /etc/apt/sources.list.d/freeswitch.list
 fi
 
 apt-get update
diff --git a/ubuntu/resources/postgresql.sh b/ubuntu/resources/postgresql.sh
index 19d6903..64df8bf 100755
--- a/ubuntu/resources/postgresql.sh
+++ b/ubuntu/resources/postgresql.sh
@@ -24,8 +24,8 @@ fi
 
 #postgres official repository
 if [ ."$database_repo" = ."official" ]; then
-	sh -c 'echo "deb [signed-by=/etc/apt/trusted.gpg.d/pgdg.gpg] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
-	wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor -o /etc/apt/trusted.gpg.d/pgdg.gpg
+	sh -c 'echo "deb [signed-by=/etc/apt/keyrings/pgdg.gpg] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
+	wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor -o /etc/apt/keyrings/pgdg.gpg
 	apt-get update && apt-get upgrade -y
 	if [ ."$database_host" = ."127.0.0.1" ] || [ ."$database_host" = ."::1" ] ; then
 		if [ ."$database_version" = ."latest" ]; then