From 4993e0f5d0d4494d0ea3aefcd751ee603ab73fa2 Mon Sep 17 00:00:00 2001
From: Paul Cacheux <paul.cacheux@datadoghq.com>
Date: Wed, 17 Jan 2024 14:44:58 +0100
Subject: [PATCH 1/2] apt: reverse enable logic

---
 apt/apt.go | 34 ++++++++++++++++++----------------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/apt/apt.go b/apt/apt.go
index f0459a4a..1aaab11b 100644
--- a/apt/apt.go
+++ b/apt/apt.go
@@ -259,27 +259,29 @@ func NewBackend(target *types.Target, aptConfigDir string, logger types.Logger)
 	}
 
 	for i, repo := range repoList {
-		if repo.Enabled && !repo.SourceRepo {
-			prefix := target.Distro.Display
-			repoID := fmt.Sprintf("%s-%d", prefix, i)
+		if !repo.Enabled || repo.SourceRepo {
+			continue
+		}
 
-			var components []string
-			if repo.Components != "" {
-				components = strings.Split(repo.Components, " ")
-			}
+		prefix := target.Distro.Display
+		repoID := fmt.Sprintf("%s-%d", prefix, i)
 
-			remoteRepo, err := deb.NewRemoteRepo(repoID, repo.URI, repo.Distribution, components, []string{debArch}, false, false, false)
-			if err != nil {
-				return nil, err
-			}
+		var components []string
+		if repo.Components != "" {
+			components = strings.Split(repo.Components, " ")
+		}
 
-			if err := backend.repoCollection.Add(remoteRepo); err != nil {
-				backend.Close()
-				return nil, fmt.Errorf("failed to add collection: %w", err)
-			}
+		remoteRepo, err := deb.NewRemoteRepo(repoID, repo.URI, repo.Distribution, components, []string{debArch}, false, false, false)
+		if err != nil {
+			return nil, err
+		}
 
-			backend.logger.Debugf("Added repository '%s' %s %s %v %v", repoID, repo.URI, repo.Distribution, components, debArch)
+		if err := backend.repoCollection.Add(remoteRepo); err != nil {
+			backend.Close()
+			return nil, fmt.Errorf("failed to add collection: %w", err)
 		}
+
+		backend.logger.Debugf("Added repository '%s' %s %s %v %v", repoID, repo.URI, repo.Distribution, components, debArch)
 	}
 
 	return backend, nil

From 6dadf0b97434eb0e42ca1e318f15ad5929050d3f Mon Sep 17 00:00:00 2001
From: Paul Cacheux <paul.cacheux@datadoghq.com>
Date: Wed, 17 Jan 2024 14:55:32 +0100
Subject: [PATCH 2/2] check is signed by is reachable

---
 apt/apt.go | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/apt/apt.go b/apt/apt.go
index 1aaab11b..9bddd70b 100644
--- a/apt/apt.go
+++ b/apt/apt.go
@@ -263,6 +263,10 @@ func NewBackend(target *types.Target, aptConfigDir string, logger types.Logger)
 			continue
 		}
 
+		if isSignedByUnreachableKey(repo) {
+			continue
+		}
+
 		prefix := target.Distro.Display
 		repoID := fmt.Sprintf("%s-%d", prefix, i)
 
@@ -286,3 +290,26 @@ func NewBackend(target *types.Target, aptConfigDir string, logger types.Logger)
 
 	return backend, nil
 }
+
+func isSignedByUnreachableKey(repo *Repository) bool {
+	if repo.Options == "" {
+		return false
+	}
+
+	options := strings.Split(repo.Options, " ")
+	for _, opt := range options {
+		optName, optValue, found := strings.Cut(opt, "=")
+		if !found {
+			continue
+		}
+
+		if strings.ToLower(optName) == "signed-by" {
+			// if the key is not in `/etc/*` then we cannot reach it
+			if !strings.HasPrefix(optValue, "/etc") {
+				return true
+			}
+		}
+	}
+
+	return false
+}