Description: aptcc: Do not trust local debs (CVE-2020-16122)
 Debs do not have signatures on their own, so they are always
 untrusted.
Author: Julian Andres Klode <julian.klode@canonical.com>
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1882098
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/backends/aptcc/pk-backend-aptcc.cpp
+++ b/backends/aptcc/pk-backend-aptcc.cpp
@@ -915,6 +915,13 @@ static void backend_manage_packages_thre
             return;
         }
 
+        if (pk_bitfield_contain(transaction_flags, PK_TRANSACTION_FLAG_ENUM_ONLY_TRUSTED)) {
+            pk_backend_job_error_code(job,
+                                  PK_ERROR_ENUM_CANNOT_INSTALL_REPO_UNSIGNED,
+                                  "Local packages cannot be authenticated.");
+            return;
+        }
+
         // get the list of packages to install
         if (!apt->markFileForInstall(full_paths[0], installPkgs, removePkgs)) {
             apt->emitFinished();