Including custom TLS cert in build

Hi,

Background

We're looking at melange for packaging however one of the issues we're facing is all developer connections to the internet are behind a TLS inspection proxy. As it currently stands this makes melange build fail as it essentially gets what it regards as an untrusted cert (i.e. it is from our corporate PKI rather than the Mozilla cert bundle) when, for example building a golang application the requires go get's.

Problem Statement

When doing a docker build this is easy enough to overcome by simply doing something akin to

tee -a /etc/ssl/certs/ca-certificates.crt < $PROXY_CERT

and passing the cert in as a build arg.

As melange is creating a bubblewrapped container for the build process it is unclear how an equivalent can be achieved.

We specifically do not want to utilise a multi-stage Dockerfile or Containerfile to overcome this, we'd like to utilise melange directly.

What I've tried

First Attempt

Create a new package to essentially replace /etc/ssl/certs/ca-certificates.crt with the existing Mozilla chain pre-pended to our corporate cert. Very "brute force" and not at all desirable:

melange.yaml

```yaml package: name: my-internal-certificate version: 1.0.0 epoch: 0 description: "my internal certificate" target-architecture: - x86_64 environment: contents: keyring: - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub - melange.rsa.pub repositories: - https://packages.wolfi.dev/os packages: - busybox - ca-certificates-bundle pipeline: - runs: > mkdir -p "${{targets.destdir}}"/etc/ssl/certs cp /etc/ssl/certs/ca-certificates.crt "${{targets.destdir}}"/etc/ssl/certs printf -- '-----BEGIN CERTIFICATE-----\n ... -----END CERTIFICATE-----' >> "${{targets.destdir}}"/etc/ssl/certs/ca-certificates.crt ```

apko.yaml

```yaml contents: keyring: - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub - melange.rsa.pub repositories: - https://packages.wolfi.dev/os - packages packages: - wolfi-baselayout - busybox - my-internal-certificate entrypoint: command: /bin/sh -l archs: - x86_64 ```

Results in apko build failing:

Installing apk packages: installing packages: installing my-internal-certificate: unable to install files for pkg my-internal-certificate: unable to install file over existing one, different contents: etc/ssl/certs/ca-certificates.crt

Second Attempt

Create a new package to add the certificate into the image and append it to /etc/ssl/certs/ca-certificates.crt when installed via the post-install scriptlet:

melange-2.yaml

```yaml package: name: my-internal-certificate version: 1.0.0 epoch: 0 description: "my internal certificate" target-architecture: - x86_64 scriptlets: post-install: | #!/bin/busybox sh tee -a /etc/ssl/certs/ca-certificates.crt < /usr/local/share/ca-certificates/my-internal-cert.crt post-deinstall: | #!/bin/busybox sh rm /usr/local/share/ca-certificates/my-internal-cert.crt environment: contents: keyring: - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub - melange.rsa.pub repositories: - https://packages.wolfi.dev/os packages: - busybox pipeline: - runs: > mkdir -p "${{targets.destdir}}"/usr/local/share/ca-certificates printf -- '-----BEGIN CERTIFICATE-----\n ... -----END CERTIFICATE-----' > "${{targets.destdir}}"/usr/local/share/ca-certificates/my-internal-certificate.crt ```

Results in apko build succeeding and the certificate is in the container at /usr/local/share/ca-certificates. It doesn't, however, appear that the post-install scriptlet has been executed?

There is no output when using --debug to indicate any issues with the post-install script (or even to indicate whether it has or hasn't been executed).

What next steps could you suggest to allow our evaluation to continue?

Thanks!

chainguard-dev / melange