diff --git a/image-recipe/build-auto-installer-iso.sh b/image-recipe/build-auto-installer-iso.sh
index becd3b5d..14519f2f 100755
--- a/image-recipe/build-auto-installer-iso.sh
+++ b/image-recipe/build-auto-installer-iso.sh
@@ -655,12 +655,12 @@ mkdir -p "$INSTALLER_ISO/EFI/BOOT"
 
 # Build the installer filesystem inside a container
 # This creates: vmlinuz, initrd.img, filesystem.squashfs
-echo "   Building installer rootfs with debootstrap (this takes a few minutes)..."
-$CONTAINER_CMD run --rm --privileged --platform $CONTAINER_PLATFORM \
-    -v "$WORK_DIR:/output" \
-    -e DEB_ARCH="$DEB_ARCH" \
-    -e LIB_DIR="$LIB_DIR" \
-    debian:trixie bash -c '
+# NOTE: the installer-env script is written to a file and bind-mounted into the
+# container rather than passed via `bash -c '...'`. On some hosts, the inline
+# form somehow interferes with debootstrap's dpkg-deb|tar extraction (repro'd
+# on this box: bash -c fails at "Extracting apt...", bash /script.sh succeeds).
+_INSTALLER_ENV_SCRIPT="$WORK_DIR/_installer-env.sh"
+cat > "$_INSTALLER_ENV_SCRIPT" <<'INSTALLER_ENV_EOF'
 set -e
 
 apt-get update -qq
@@ -924,7 +924,14 @@ grub-mkfont -s 16 -o /output/grub-fonts/dejavu_16.pf2 /usr/share/fonts/truetype/
 grub-mkfont -s 24 -o /output/grub-fonts/dejavu_24.pf2 /usr/share/fonts/truetype/dejavu/DejaVuSansMono-Bold.ttf
 
 echo "   [container] Done!"
-'
+INSTALLER_ENV_EOF
+
+$CONTAINER_CMD run --rm --privileged --platform $CONTAINER_PLATFORM \
+    -v "$WORK_DIR:/output" \
+    -v "$_INSTALLER_ENV_SCRIPT:/installer-env.sh:ro" \
+    -e DEB_ARCH="$DEB_ARCH" \
+    -e LIB_DIR="$LIB_DIR" \
+    debian:trixie bash /installer-env.sh
 
 # Verify artifacts
 for artifact in vmlinuz initrd.img filesystem.squashfs BOOTX64.EFI efi.img isolinux.bin isohdpfx.bin; do