diff --git a/pmb/chroot/apk.py b/pmb/chroot/apk.py
index a9149bec..ed051e63 100644
--- a/pmb/chroot/apk.py
+++ b/pmb/chroot/apk.py
@@ -174,6 +174,12 @@ def install_run_apk(args, to_add, to_add_local, to_del, suffix):
                    installed or their dependencies (e.g. ["osk-sdl"])
     :param suffix: the chroot suffix, e.g. "native" or "rootfs_qemu-amd64"
     """
+    # Sanitize packages: don't allow '--allow-untrusted' and other options
+    # to be passed to apk!
+    for package in to_add + to_add_local + to_del:
+        if package.startswith("-"):
+            raise ValueError(f"Invalid package name: {package}")
+
     commands = [["add"] + to_add]
 
     # Use a virtual package to mark only the explicitly requested packages as
@@ -230,12 +236,6 @@ def install(args, packages, suffix="native", build=True):
         for package in to_add:
             install_build(args, package, arch)
 
-    # Sanitize packages: don't allow '--allow-untrusted' and other options
-    # to be passed to apk!
-    for package in to_add + to_del:
-        if package.startswith("-"):
-            raise ValueError(f"Invalid package name: {package}")
-
     to_add_local = packages_get_locally_built_apks(args, to_add, arch)
     to_add_no_deps, _ = packages_split_to_add_del(packages)
 
diff --git a/test/test_apk.py b/test/test_apk.py
index 0974bcd0..f1ef6c86 100644
--- a/test/test_apk.py
+++ b/test/test_apk.py
@@ -143,3 +143,12 @@ def test_install_run_apk(monkeypatch, args):
     func(args, to_add, to_add_local, to_del, suffix)
     assert cmds_progress == [["apk", "--no-network", "add", "hello-world"]]
     assert cmds == []
+
+    # Package name starting with '-'
+    reset_cmds()
+    to_add = ["hello-world", "--allow-untrusted"]
+    to_add_local = []
+    to_del = []
+    with pytest.raises(ValueError) as e:
+        func(args, to_add, to_add_local, to_del, suffix)
+    assert "Invalid package name" in str(e.value)