Setting up third party apt repositories

[Matthew Pounsett]

I can't seem to figure out what needs to be done to set up a
third-party apt repository during the install process.  I'm currently
testing with Debian Buster, based loosely off of the FAIBASE and
DEBIAN classes in the sample setup (I have made a LOT of
customizations at this point).

Let's take the upstream repository for BIND for example. I've created
the following file at hooks/repository.BIND:

#! /bin/bash
error=0; trap 'error=$(($?>$error?$?:$error))' ERR # save maximum error code
source $target/etc/os-release
apt-get -y install apt-transport-https ca-certificates
echo "deb https://packages.sury.org/bind/ ${VERSION_CODENAME} main" >
$target/etc/apt/sources.list.d/bind.list
exit $error

I've also downloaded the apt.gpg file from the repository and placed
it as package_config/BIND.gpg

In this hook script the install of the ca-certificates package fails
("no installation candidate").  So later, when FAI tries to run the
"updatebase" step, apt can't verify the repository certificate.

I have also tried adding $ROOTCMD to the beginning of the apt-get call
in the the hook script, in case the packages are required inside of
$target instead of in the installer OS.

I've done some googling and found only one other case of someone
trying to accomplish a similar thing, but they didn't seem to find a
fix.
<https://devops.stackexchange.com/questions/3352/installing-packages-from-a-3rd-party-repository-with-fai>

Is there a "proper" way to do this?  It seems like I've got a catch-22
where in order to get indexes from https-based repositories I need to
already have some of the OS in place, but the required base packages
aren't installed yet when the "repository" and "updatebase" hooks
fire.