debootstrap: update ca-certificates using the host

The root certificates contained in the ca-certificates pacakges are requried to download files using https. The initial package comes from the debootstrap archive. This pacakge may be outdated and updating it in the target filesystem using apt update && apt upgrade fails, because the repository may use a certificate, that is not yet part of the ca-certificates package. This change downloads the latest ca-certifiactes package using the apt proxy on the host and installs it on the target before runnign apt update.
Elektrobit · Feb 11, 2025 · f306f71 · f306f71
1 parent 4feb12b
commit f306f71
Showing 1 changed file with 33 additions and 2 deletions.
diff --git a/ebcl/tools/root/debootstrap.py b/ebcl/tools/root/debootstrap.py
@@ -1,15 +1,16 @@
 """ Implementation for using debootstrap as root filesystem generator. """
 import glob
+import hashlib
 import logging
 import os
-import hashlib
 
+from pathlib import Path
 from typing import Optional, List
 
 from ebcl.common import get_cache_folder
 from ebcl.common.apt import Apt, AptDebRepo
 from ebcl.common.config import Config
-from ebcl.common.version import VersionRelation
+from ebcl.common.version import VersionDepends, VersionRelation
 
 
 class DebootstrapRootGenerator:
@@ -224,6 +225,34 @@ def _find_deboostrap_repo(self) -> tuple[Apt, AptDebRepo] | tuple[None, None]:
                     return (apt, repo)
         return (None, None)
 
+    def _update_ca_certificates(self) -> None:
+        """
+        Update ca-certificates
+        There is a chance that this cannot be done using apt update && apt upgrade,
+        because the sources may list a repository, that uses a root certificate for signing
+        that is not yet installed on the target system (because the ca-certificates package in debootrap is too old).
+        """
+
+        logging.info("Trying to update ca-certificates")
+        ca_pkg = self.config.proxy.find_package(VersionDepends("ca-certificates", None, None, None, self.config.arch))
+        if not ca_pkg:
+            logging.warning("No ca-certificates package in sources found, skipping update.")
+            return
+
+        ca_pkg = self.config.proxy.download_package(self.config.arch, ca_pkg, location=self.config.target_dir)
+        local_file_str = ca_pkg and ca_pkg.local_file or None
+        if not local_file_str:
+            logging.error("Unable to download ca-certificates package")
+            return
+        local_file = Path(local_file_str)
+        local_name = local_file.name
+
+        self.config.fake.run_chroot(
+            f'bash -c "{self.apt_env} dpkg --install --skip-same-version /{local_name}"',
+            self.config.target_dir
+        )
+        local_file.unlink()
+
     def _run_debootstrap(self) -> bool:
         """ Run debootstrap and store result in cache. """
         fake = self.config.fake
@@ -294,6 +323,8 @@ def _run_update(self, debootstrap_hash: Optional[str]) -> bool:
                 check=True
             )
 
+            self._update_ca_certificates()
+
             # Update root
             fake.run_chroot(
                 f'bash -c "{self.apt_env} apt update"',