lxc-debian: avoid installing unauthenticated packages

--force-yes is deprecated, and is a shortcut for --allow-unauthenticated, --allow-downgrades, --allow-remove-essential, --allow-change-held-packages. --allow-unauthenticated is the only likely to be needed here, so instead of allowing unauthenticated packages, copy any custom keyring used inside the rootfs so any packages we need to install are properly authenticated. The common case is debian-ports-archive-keyring. Signed-off-by: Antonio Terceiro <terceiro@debian.org>
2022-04-10 06:20:18 -03:00 · 2022-04-10 06:20:18 -03:00 · 56a2d30c41
commit 56a2d30c41
parent 4b041f1d18
1 changed files with 9 additions and 2 deletions
--- a/templates/lxc-debian.in
+++ b/templates/lxc-debian.in
@ -267,9 +267,9 @@ install_packages()
 {
    local rootfs="$1"; shift
    local packages="$*"
-    
+
    if [ -n "${packages}" ] && apt_update_packages; then
-        chroot "${rootfs}" apt-get install --force-yes -y --no-install-recommends ${packages}
+        chroot "${rootfs}" apt-get install -y --no-install-recommends ${packages}
    elif [ -n "${packages}" ]; then
        echo "Apt update failed, not downloading packages"
    fi
@ -614,6 +614,13 @@ EOF
        write_sourceslist "${rootfs}" "${release}"
    fi

+    # Copy non-standard keyring inside rootfs
+    local extra_keyring
+    extra_keyring="${rootfs}/etc/apt/trusted.gpg.d/lxc-create-$(basename "${KEYRING}")"
+    if [ "${KEYRING}" != "${DEBIAN_ARCHIVE_KEYRING}" ]; then
+      cp "${KEYRING}" "${extra_keyring}"
+    fi
+
    # Install Packages in container
    if [ -n "${packages}" ]; then
        local pack_list