From e4782dee68bb724d6a6b84c532a0fabd84fe7626 Mon Sep 17 00:00:00 2001
From: Aiden McClelland <me@drbonez.dev>
Date: Fri, 26 Jul 2024 01:41:11 -0600
Subject: [PATCH] fix ca cert issue

---
 build/lib/scripts/enable-kiosk | 21 ++++++++++-----------
 core/startos/src/init.rs       | 20 ++++++++++++++++++++
 2 files changed, 30 insertions(+), 11 deletions(-)

diff --git a/build/lib/scripts/enable-kiosk b/build/lib/scripts/enable-kiosk
index ad7cd4bf3..45bed5fe9 100755
--- a/build/lib/scripts/enable-kiosk
+++ b/build/lib/scripts/enable-kiosk
@@ -14,14 +14,8 @@ if ! id kiosk; then
     useradd -s /bin/bash --create-home kiosk
 fi
 
-# create kiosk script
-cat > /home/kiosk/kiosk.sh << 'EOF'
-#!/bin/sh
-PROFILE=$(mktemp -d)
-if [ -f /usr/local/share/ca-certificates/startos-root-ca.crt ]; then
-    certutil -A -n "StartOS Local Root CA" -t "TCu,Cuw,Tuw" -i /usr/local/share/ca-certificates/startos-root-ca.crt -d $PROFILE
-fi
-cat >> $PROFILE/prefs.js << EOT
+mkdir /home/kiosk/fx-profile
+cat >> /home/kiosk/fx-profile/prefs.js << EOF
 user_pref("app.normandy.api_url", "");
 user_pref("app.normandy.enabled", false);
 user_pref("app.shield.optoutstudies.enabled", false);
@@ -87,7 +81,11 @@ user_pref("toolkit.telemetry.shutdownPingSender.enabled", false);
 user_pref("toolkit.telemetry.unified", false);
 user_pref("toolkit.telemetry.updatePing.enabled", false);
 user_pref("toolkit.telemetry.cachedClientID", "");
-EOT
+EOF
+
+# create kiosk script
+cat > /home/kiosk/kiosk.sh << 'EOF'
+#!/bin/sh
 while ! curl "http://localhost" > /dev/null; do
     sleep 1
 done
@@ -101,8 +99,7 @@ done
     killall firefox-esr
 ) &
 matchbox-window-manager -use_titlebar no &
-firefox-esr http://localhost --profile $PROFILE
-rm -rf $PROFILE
+firefox-esr http://localhost --profile /home/kiosk/fx-profile
 EOF
 chmod +x /home/kiosk/kiosk.sh
 
@@ -116,6 +113,8 @@ fi
 EOF
 fi
 
+chown -R kiosk:kiosk /home/kiosk
+
 # enable autologin
 mkdir -p /etc/systemd/system/getty@tty1.service.d
 cat > /etc/systemd/system/getty@tty1.service.d/autologin.conf << 'EOF'
diff --git a/core/startos/src/init.rs b/core/startos/src/init.rs
index 735ca85a5..5e0fa932f 100644
--- a/core/startos/src/init.rs
+++ b/core/startos/src/init.rs
@@ -398,6 +398,20 @@ pub async fn init(
     Command::new("update-ca-certificates")
         .invoke(crate::ErrorKind::OpenSsl)
         .await?;
+    if tokio::fs::metadata("/home/kiosk/profile").await.is_ok() {
+        Command::new("certutil")
+            .arg("-A")
+            .arg("-n")
+            .arg("StartOS Local Root CA")
+            .arg("-t")
+            .arg("TCu,Cuw,Tuw")
+            .arg("-i")
+            .arg("/usr/local/share/ca-certificates/startos-root-ca.crt")
+            .arg("-d")
+            .arg("/home/kiosk/fx-profile")
+            .invoke(ErrorKind::OpenSsl)
+            .await?;
+    }
     load_ca_cert.complete();
 
     load_wifi.start();
@@ -422,6 +436,12 @@ pub async fn init(
         tokio::fs::remove_dir_all(&tmp_var).await?;
     }
     crate::disk::mount::util::bind(&tmp_var, "/var/tmp", false).await?;
+    let downloading = cfg
+        .datadir()
+        .join(format!("package-data/archive/downloading"));
+    if tokio::fs::metadata(&downloading).await.is_ok() {
+        tokio::fs::remove_dir_all(&downloading).await?;
+    }
     let tmp_docker = cfg
         .datadir()
         .join(format!("package-data/tmp/{CONTAINER_TOOL}"));