caching: cache signatures but ignore outer verify errors

new pacman (6.0) doesn't downloads the <pkg>.sig files if SigLevel is
set to `Never`, an understandable optimization in general but for our
use case an issue.

We cache packages on the host, where we have internet but do not have
an archlinux trusted keyring setup, we then verify the non-bootstrap
packages (i.e., all but pacman and the keyring) in the bootstrapping
container itself

This is somewhat ugly, but one of the simpler options, an possible
alternative on the long run could be to package archlinux-keyring for
debian and have that as dependency for aab, then we could populate a
local directory (pacman gas a `--gpgdir` option) and fully verify all
that..

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/PVE/AAB.pm b/PVE/AAB.pm
index 53e9e619966aa4e68c46004afaa3557da0fd94f8..42ac5e3947d8d7ee8c7888d66c499938bef7ba72 100644 (file)
--- a/PVE/AAB.pm
+++ b/PVE/AAB.pm
@@ -465,8 +465,11 @@ sub cache_packages {
     my ($self, $packages) = @_;
     my $root = $self->{rootfs};
 
-    my @pacman = $self->pacman_command();
-    $self->run_command([@pacman, '-Sw', '--', @$packages]);
+    $self->write_pacman_conf('pacman.caching.conf', "Optional");
+    my @pacman = $self->pacman_command('pacman.caching.conf');
+    my ($_res, $ec) = $self->run_command([@pacman, '-Sw', '--', @$packages], undef, undef, 1);
+    $self->logmsg("ignore bad exit $ec due to unavailable keyring, the CT will verify that later.\n")
+       if $ec;
 }
 
 sub mask_systemd_unit {
@@ -730,7 +733,7 @@ sub clean {
     my ($self, $all) = @_;
 
     unlink $self->{logfile};
-    unlink $self->{'pacman.conf'};
+    unlink $self->{'pacman.conf'}, 'pacman.caching.conf';
     $self->ve_destroy();
     unlink '.veid';
     unlink $self->{veconffile};