Add support for custom certificate packages

Author: codysoyland

hack/update-packages.sh

@@ -10,3 +10,9 @@ set -ex
   melange build --arch arm64 --arch amd64 -r https://packages.wolfi.dev/os -k https://packages.wolfi.dev/os/wolfi-signing.rsa.pub --signing-key ./melange.rsa replayout.melange.yaml)
 (cd internal/cli &&
   apko lock ./testdata/apko.yaml)
+
+(cd pkg/build/testdata && \
+  melange build --arch arm64 --arch amd64 -r https://packages.wolfi.dev/os -k https://packages.wolfi.dev/os/wolfi-signing.rsa.pub --signing-key ./melange.rsa pretend-baselayout.melange.yaml && \
+  melange build --arch arm64 --arch amd64 -r https://packages.wolfi.dev/os -k https://packages.wolfi.dev/os/wolfi-signing.rsa.pub --signing-key ./melange.rsa replayout.melange.yaml && \
+  melange build --arch arm64 --arch amd64 -r https://packages.wolfi.dev/os -k https://packages.wolfi.dev/os/wolfi-signing.rsa.pub --signing-key ./melange.rsa custom-ca-certs-1.melange.yaml && \
+  melange build --arch arm64 --arch amd64 -r https://packages.wolfi.dev/os -k https://packages.wolfi.dev/os/wolfi-signing.rsa.pub --signing-key ./melange.rsa custom-ca-certs-2.melange.yaml)

internal/cli/testdata/apko-certs.yaml

@@ -0,0 +1,13 @@
+contents:
+  keyring:
+    - ./testdata/melange.rsa.pub
+  repositories:
+    - ./testdata/packages
+  packages:
+    - pretend-baselayout
+    - custom-ca-certs-1
+    - custom-ca-certs-2
+
+archs:
+- x86_64
+- aarch64

internal/cli/testdata/custom-ca-certs-1.melange.yaml

@@ -0,0 +1,71 @@
+package:
+  name: custom-ca-certs-1
+  version: 1.0.0
+  epoch: 0
+  description: "custom CA certificates package 1 (test)"
+  copyright:
+    - license: MIT
+  dependencies:
+    provides:
+      - custom-ca-certificates
+
+environment:
+  contents:
+    packages:
+      - busybox
+
+pipeline:
+  - name: Install certificates
+    runs: |
+      mkdir -p ${{targets.destdir}}/usr/local/share/ca-certificates
+      cat >${{targets.destdir}}/usr/local/share/ca-certificates/custom-1-cert-a.crt <<'CERTEOF'
+      -----BEGIN CERTIFICATE-----
+      MIIFmDCCA4CgAwIBAgIQU9C87nMpOIFKYpfvOHFHFDANBgkqhkiG9w0BAQsFADBm
+      MQswCQYDVQQGEwJVUzEzMDEGA1UEChMqKFNUQUdJTkcpIEludGVybmV0IFNlY3Vy
+      aXR5IFJlc2VhcmNoIEdyb3VwMSIwIAYDVQQDExkoU1RBR0lORykgUHJldGVuZCBQ
+      ZWFyIFgxMB4XDTE1MDYwNDExMDQzOFoXDTM1MDYwNDExMDQzOFowZjELMAkGA1UE
+      BhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0eSBSZXNl
+      YXJjaCBHcm91cDEiMCAGA1UEAxMZKFNUQUdJTkcpIFByZXRlbmQgUGVhciBYMTCC
+      AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALbagEdDTa1QgGBWSYkyMhsc
+      ZXENOBaVRTMX1hceJENgsL0Ma49D3MilI4KS38mtkmdF6cPWnL++fgehT0FbRHZg
+      jOEr8UAN4jH6omjrbTD++VZneTsMVaGamQmDdFl5g1gYaigkkmx8OiCO68a4QXg4
+      wSyn6iDipKP8utsE+x1E28SA75HOYqpdrk4HGxuULvlr03wZGTIf/oRt2/c+dYmD
+      oaJhge+GOrLAEQByO7+8+vzOwpNAPEx6LW+crEEZ7eBXih6VP19sTGy3yfqK5tPt
+      TdXXCOQMKAp+gCj/VByhmIr+0iNDC540gtvV303WpcbwnkkLYC0Ft2cYUyHtkstO
+      fRcRO+K2cZozoSwVPyB8/J9RpcRK3jgnX9lujfwA/pAbP0J2UPQFxmWFRQnFjaq6
+      rkqbNEBgLy+kFL1NEsRbvFbKrRi5bYy2lNms2NJPZvdNQbT/2dBZKmJqxHkxCuOQ
+      FjhJQNeO+Njm1Z1iATS/3rts2yZlqXKsxQUzN6vNbD8KnXRMEeOXUYvbV4lqfCf8
+      mS14WEbSiMy87GB5S9ucSV1XUrlTG5UGcMSZOBcEUpisRPEmQWUOTWIoDQ5FOia/
+      GI+Ki523r2ruEmbmG37EBSBXdxIdndqrjy+QVAmCebyDx9eVEGOIpn26bW5LKeru
+      mJxa/CFBaKi4bRvmdJRLAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
+      Af8EBTADAQH/MB0GA1UdDgQWBBS182Xy/rAKkh/7PH3zRKCsYyXDFDANBgkqhkiG
+      9w0BAQsFAAOCAgEAncDZNytDbrrVe68UT6py1lfF2h6Tm2p8ro42i87WWyP2LK8Y
+      nLHC0hvNfWeWmjZQYBQfGC5c7aQRezak+tHLdmrNKHkn5kn+9E9LCjCaEsyIIn2j
+      qdHlAkepu/C3KnNtVx5tW07e5bvIjJScwkCDbP3akWQixPpRFAsnP+ULx7k0aO1x
+      qAeaAhQ2rgo1F58hcflgqKTXnpPM02intVfiVVkX5GXpJjK5EoQtLceyGOrkxlM/
+      sTPq4UrnypmsqSagWV3HcUlYtDinc+nukFk6eR4XkzXBbwKajl0YjztfrCIHOn5Q
+      CJL6TERVDbM/aAPly8kJ1sWGLuvvWYzMYgLzDul//rUF10gEMWaXVZV51KpS9DY/
+      5CunuvCXmEQJHo7kGcViT7sETn6Jz9KOhvYcXkJ7po6d93A/jy4GKPIPnsKKNEmR
+      xUuXY4xRdh45tMJnLTUDdC9FIU0flTeO9/vNpVA8OPU1i14vCz+MU8KX1bV3GXm/
+      fxlB7VBBjX9v5oUep0o/j68R/iDlCOM4VVfRa8gX6T2FU7fNdatvGro7uQzIvWof
+      gN9WUwCbEMBy/YhBSrXycKA8crgGg3x1mIsopn88JKwmMBa68oS7EHM9w7C4y71M
+      7DiA+/9Qdp9RBWJpTS9i/mDnJg1xvo8Xz49mrrgfmcAXTCJqXi24NatI3Oc=
+      -----END CERTIFICATE-----
+      CERTEOF
+      cat >${{targets.destdir}}/usr/local/share/ca-certificates/custom-1-cert-b.crt <<'CERTEOF'
+      -----BEGIN CERTIFICATE-----
+      MIICTjCCAdSgAwIBAgIRAIPgc3k5LlLVLtUUvs4K/QcwCgYIKoZIzj0EAwMwaDEL
+      MAkGA1UEBhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0
+      eSBSZXNlYXJjaCBHcm91cDEkMCIGA1UEAxMbKFNUQUdJTkcpIEJvZ3VzIEJyb2Nj
+      b2xpIFgyMB4XDTIwMDkwNDAwMDAwMFoXDTQwMDkxNzE2MDAwMFowaDELMAkGA1UE
+      BhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0eSBSZXNl
+      YXJjaCBHcm91cDEkMCIGA1UEAxMbKFNUQUdJTkcpIEJvZ3VzIEJyb2Njb2xpIFgy
+      MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEOvS+w1kCzAxYOJbA06Aw0HFP2tLBLKPo
+      FQqR9AMskl1nC2975eQqycR+ACvYelA8rfwFXObMHYXJ23XLB+dAjPJVOJ2OcsjT
+      VqO4dcDWu+rQ2VILdnJRYypnV1MMThVxo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD
+      VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU3tGjWWQOwZo2o0busBB2766XlWYwCgYI
+      KoZIzj0EAwMDaAAwZQIwRcp4ZKBsq9XkUuN8wfX+GEbY1N5nmCRc8e80kUkuAefo
+      uc2j3cICeXo1cOybQ1iWAjEA3Ooawl8eQyR4wrjCofUE8h44p0j7Yl/kBlJZT8+9
+      vbtH7QiVzeKCOTQPINyRql6P
+      -----END CERTIFICATE-----
+      CERTEOF

internal/cli/testdata/custom-ca-certs-2.melange.yaml

@@ -0,0 +1,48 @@
+package:
+  name: custom-ca-certs-2
+  version: 1.0.0
+  epoch: 0
+  description: "custom CA certificates package 2 (test)"
+  copyright:
+    - license: MIT
+  dependencies:
+    provides:
+      - custom-ca-certificates
+
+environment:
+  contents:
+    packages:
+      - busybox
+
+pipeline:
+  - name: Install certificates
+    runs: |
+      mkdir -p ${{targets.destdir}}/usr/local/share/ca-certificates
+      cat >${{targets.destdir}}/usr/local/share/ca-certificates/custom-2-cert-c.crt <<'CERTEOF'
+      -----BEGIN CERTIFICATE-----
+      MIIBwjCCAWegAwIBAgIUBKZDifzRAz30jwlcoQLIOxkBPLMwCgYIKoZIzj0EAwIw
+      NTEeMBwGA1UEAwwVVGVzdCBDQSBDZXJ0aWZpY2F0ZSAzMRMwEQYDVQQKDApUZXN0
+      IE9yZyAzMCAXDTI2MDIyNzIwMzk1OVoYDzIxMjYwMjAzMjAzOTU5WjA1MR4wHAYD
+      VQQDDBVUZXN0IENBIENlcnRpZmljYXRlIDMxEzARBgNVBAoMClRlc3QgT3JnIDMw
+      WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARx/10O/q2rOnQtpBXHjARAUryfNWjD
+      UXeshzFk44hrv45loTsGQcyb5vAL6h3FSdBN91njUch4eF1NEYLKoR3Qo1MwUTAd
+      BgNVHQ4EFgQUhLbWEa0IUIixKPBVvuKxhK6UMnMwHwYDVR0jBBgwFoAUhLbWEa0I
+      UIixKPBVvuKxhK6UMnMwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNJADBG
+      AiEAqgTlOPOiNJLPJhMjRl9Zpaq6TTGfh+awe7N3fcEdHVICIQDfgVRRkuv1KTWk
+      44YBh2/IaTSFwFo8cd39Fnv7CYi/2g==
+      -----END CERTIFICATE-----
+      CERTEOF
+      cat >${{targets.destdir}}/usr/local/share/ca-certificates/custom-2-cert-d.crt <<'CERTEOF'
+      -----BEGIN CERTIFICATE-----
+      MIIBwTCCAWegAwIBAgIUPrm4YvABD98JhdU93qPsAgryo0UwCgYIKoZIzj0EAwIw
+      NTEeMBwGA1UEAwwVVGVzdCBDQSBDZXJ0aWZpY2F0ZSA0MRMwEQYDVQQKDApUZXN0
+      IE9yZyA0MCAXDTI2MDIyNzIwNDAwMFoYDzIxMjYwMjAzMjA0MDAwWjA1MR4wHAYD
+      VQQDDBVUZXN0IENBIENlcnRpZmljYXRlIDQxEzARBgNVBAoMClRlc3QgT3JnIDQw
+      WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQbR9hBg7/IeSBYJzUvBUxnnaNmoOJj
+      ESG5CiOa2980CC5aixcLof5kk/9K16B+OLIGSUE+Ya98N0vNP8KmDmvBo1MwUTAd
+      BgNVHQ4EFgQU6ZlpZtkvodhxZX1aRsM44dY0SJ8wHwYDVR0jBBgwFoAU6ZlpZtkv
+      odhxZX1aRsM44dY0SJ8wDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBF
+      AiARCNSY4WZ7Tl1oAmWghJz0Sxzi57JY4pdrvzyzYQNrhgIhAPMAzTOf33fVRhaX
+      wB7TKj2HAGTDpoliTH80SMWJN3jK
+      -----END CERTIFICATE-----
+      CERTEOF

internal/cli/testdata/packages/aarch64/custom-ca-certs-1-1.0.0-r0.apk

@@ -124,6 +124,56 @@ func TestBuildImage(t *testing.T) {
 	require.Equal(t, installed[1].Version, "1.0.0-r0")
 }
 
+func TestBuildImageWithCertPackages(t *testing.T) {
+	ctx := context.Background()
+
+	opts := []build.Option{
+		build.WithConfig("apko-certs.yaml", []string{"testdata"}),
+	}
+
+	fsys := fs.NewMemFS()
+	bc, err := build.New(ctx, fsys, opts...)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := bc.BuildImage(ctx); err != nil {
+		t.Fatal(err)
+	}
+
+	installed, err := bc.InstalledPackages()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Should have pretend-baselayout + custom-ca-certs-1 + custom-ca-certs-2.
+	require.Len(t, installed, 3)
+
+	// Verify the CA bundle was created and contains all 4 certificates.
+	bundlePath := "etc/ssl/certs/ca-certificates.crt"
+	bundleData, err := fsys.ReadFile(bundlePath)
+	require.NoError(t, err, "CA bundle should exist at %s", bundlePath)
+
+	bundle := string(bundleData)
+	require.Contains(t, bundle, "-----BEGIN CERTIFICATE-----")
+
+	// Count the number of certificates in the bundle.
+	certCount := strings.Count(bundle, "-----BEGIN CERTIFICATE-----")
+	require.Equal(t, 4, certCount, "expected 4 certificates in the CA bundle, got %d", certCount)
+
+	// Verify individual cert files exist in the filesystem.
+	certPaths := []string{
+		"usr/local/share/ca-certificates/custom-1-cert-a.crt",
+		"usr/local/share/ca-certificates/custom-1-cert-b.crt",
+		"usr/local/share/ca-certificates/custom-2-cert-c.crt",
+		"usr/local/share/ca-certificates/custom-2-cert-d.crt",
+	}
+	for _, p := range certPaths {
+		_, err := fsys.Stat(p)
+		require.NoError(t, err, "cert file %s should exist", p)
+	}
+}
+
 func TestBuildImageFromLockFile(t *testing.T) {
 	ctx := context.Background()