From f29113a862339c8abd8d5a21587154666a898e9e Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Thu, 2 Dec 2021 14:46:08 +0100 Subject: [PATCH] caching: cache signatures but ignore outer verify errors new pacman (6.0) doesn't downloads the .sig files if SigLevel is set to `Never`, an understandable optimization in general but for our use case an issue. We cache packages on the host, where we have internet but do not have an archlinux trusted keyring setup, we then verify the non-bootstrap packages (i.e., all but pacman and the keyring) in the bootstrapping container itself This is somewhat ugly, but one of the simpler options, an possible alternative on the long run could be to package archlinux-keyring for debian and have that as dependency for aab, then we could populate a local directory (pacman gas a `--gpgdir` option) and fully verify all that.. Signed-off-by: Thomas Lamprecht --- PVE/AAB.pm | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/PVE/AAB.pm b/PVE/AAB.pm index 53e9e61..42ac5e3 100644 --- a/PVE/AAB.pm +++ b/PVE/AAB.pm @@ -465,8 +465,11 @@ sub cache_packages { my ($self, $packages) = @_; my $root = $self->{rootfs}; - my @pacman = $self->pacman_command(); - $self->run_command([@pacman, '-Sw', '--', @$packages]); + $self->write_pacman_conf('pacman.caching.conf', "Optional"); + my @pacman = $self->pacman_command('pacman.caching.conf'); + my ($_res, $ec) = $self->run_command([@pacman, '-Sw', '--', @$packages], undef, undef, 1); + $self->logmsg("ignore bad exit $ec due to unavailable keyring, the CT will verify that later.\n") + if $ec; } sub mask_systemd_unit { @@ -730,7 +733,7 @@ sub clean { my ($self, $all) = @_; unlink $self->{logfile}; - unlink $self->{'pacman.conf'}; + unlink $self->{'pacman.conf'}, 'pacman.caching.conf'; $self->ve_destroy(); unlink '.veid'; unlink $self->{veconffile};