From 0b9be9efacfde17cf26b78e04018d9c88d5bbe0b Mon Sep 17 00:00:00 2001
From: Preetam D'Souza <preetamjdsouza@gmail.com>
Date: Thu, 25 May 2017 17:58:42 -0400
Subject: [PATCH] Switch to secure APT

http://packages.maruos.com/debian now uses signed Release files so we
can drop the --allow-unauthenticated flag and cryptographically verify
packages against the Maru signing key.

Signed-off-by: Preetam D'Souza <preetamjdsouza@gmail.com>
---
 blueprint/debian/chroot-configure.sh | 24 ++++++++++++++++++++----
 blueprint/debian/plugin.sh           | 11 -----------
 2 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/blueprint/debian/chroot-configure.sh b/blueprint/debian/chroot-configure.sh
index 7aca801..5e2082c 100755
--- a/blueprint/debian/chroot-configure.sh
+++ b/blueprint/debian/chroot-configure.sh
@@ -18,6 +18,7 @@
 #
 
 set -e
+set -u
 
 readonly RECOMMENDS_MIN="xfce4-terminal
 vim-tiny
@@ -37,7 +38,7 @@ install () {
     dpkg -i maru_* || true
 
     # install all missing packages in "Depends"
-    apt-get -y --allow-unauthenticated install -f
+    apt-get -y install -f
 }
 
 install_minimal () {
@@ -48,7 +49,7 @@ install_minimal () {
     dpkg -i maru_* || true
 
     # install all missing packages in "Depends"
-    apt-get -y --allow-unauthenticated install --no-install-recommends -f
+    apt-get -y install --no-install-recommends -f
 
     # HACK for now to skip libreoffice launcher icons
     mv /home/maru/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel-minimal.xml \
@@ -57,11 +58,11 @@ install_minimal () {
 }
 
 OPT_MINIMAL=false
-while true; do
+while [ $# -gt 0 ]; do
     case "$1" in
         -m|--minimal) OPT_MINIMAL=true; shift ;;
         --) shift; break ;;
-        *-) echo >&2 "Unrecognized option $1"; exit 2 ;;
+        -*) echo >&2 "Unrecognized option $1"; exit 2 ;;
         *) break;
     esac
 done
@@ -84,12 +85,23 @@ fi
 
 apt-get clean && apt-get update
 
+# add maru apt repository for installing dependencies
+apt-get install -y curl
+curl -fsSL https://maruos.com/static/gpg.txt | apt-key add -
+cat > /etc/apt/sources.list.d/maruos.list <<EOF
+deb http://packages.maruos.com/debian testing/
+EOF
+apt-get update
+
 if [ "$OPT_MINIMAL" = true ] ; then
     install_minimal
 else
     install
 fi
 
+# delete maru apt repository for now (upgrades not tested)
+rm /etc/apt/sources.list.d/maruos.list
+
 # get rid of xscreensaver and annoying warning
 apt-get -y purge xscreensaver xscreensaver-data
 
@@ -105,5 +117,9 @@ apt-get clean
 # clean package lists (this can be recreated with apt-get update)
 rm -rf /var/lib/apt/lists/*
 
+#
+# final prep
+#
+
 # root acount is unnecessary since default account + sudo is all set up
 passwd -dl root
diff --git a/blueprint/debian/plugin.sh b/blueprint/debian/plugin.sh
index a771241..a6675d6 100644
--- a/blueprint/debian/plugin.sh
+++ b/blueprint/debian/plugin.sh
@@ -20,8 +20,6 @@ readonly BLUEPRINT_NAME="DEBIAN"
 readonly DEFAULT_RELEASE="jessie"
 readonly DEFAULT_ARCH="armhf"
 
-readonly DEFAULT_MARU_RELEASE="testing"
-
 # tweaks to upstream template, must be absolute path
 # note: this is only used because older versions of LXC do not support
 # cross-debootstrapping in the debian template
@@ -84,11 +82,6 @@ EOF
     # make sure we have a dynamic mirror for installing packages
     cat > "${rootfs}/etc/apt/sources.list" <<EOF
 deb http://httpredir.debian.org/debian ${release} main
-EOF
-
-    # add maru apt repository for installing dependencies
-    cat > "${rootfs}/etc/apt/sources.list.d/maruos.list" <<EOF
-deb http://packages.maruos.com/debian ${DEFAULT_MARU_RELEASE}/
 EOF
 
     # disable any default.target
@@ -116,10 +109,6 @@ EOF
     fi
 
     chroot "$rootfs" bash -c "cd /tmp && ./${CHROOT_SCRIPT} $script_args"
-
-    # delete maru apt repository for now (upgrades not tested)
-    rm "${rootfs}/etc/apt/sources.list.d/maruos.list"
-
 }
 
 blueprint_build () {