caching: cache signatures but ignore outer verify errors

new pacman (6.0) doesn't downloads the <pkg>.sig files if SigLevel is
set to `Never`, an understandable optimization in general but for our
use case an issue.

We cache packages on the host, where we have internet but do not have
an archlinux trusted keyring setup, we then verify the non-bootstrap
packages (i.e., all but pacman and the keyring) in the bootstrapping
container itself

This is somewhat ugly, but one of the simpler options, an possible
alternative on the long run could be to package archlinux-keyring for
debian and have that as dependency for aab, then we could populate a
local directory (pacman gas a `--gpgdir` option) and fully verify all
that..

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

PVE/AAB.pm

@@ -465,8 +465,11 @@ sub cache_packages {
     my ($self, $packages) = @_;
     my $root = $self->{rootfs};
 
-    my @pacman = $self->pacman_command();
+    $self->write_pacman_conf('pacman.caching.conf', "Optional");
-    $self->run_command([@pacman, '-Sw', '--', @$packages]);
+    my @pacman = $self->pacman_command('pacman.caching.conf');
+    my ($_res, $ec) = $self->run_command([@pacman, '-Sw', '--', @$packages], undef, undef, 1);
+    $self->logmsg("ignore bad exit $ec due to unavailable keyring, the CT will verify that later.\n")
+	if $ec;
 }
 
 sub mask_systemd_unit {
@@ -730,7 +733,7 @@ sub clean {
     my ($self, $all) = @_;
 
     unlink $self->{logfile};
-    unlink $self->{'pacman.conf'};
+    unlink $self->{'pacman.conf'}, 'pacman.caching.conf';
     $self->ve_destroy();
     unlink '.veid';
     unlink $self->{veconffile};