Add support for custom certificate packages

Author: codysoyland

hack/update-packages.sh

@@ -10,3 +10,9 @@ set -ex
   melange build --arch arm64 --arch amd64 -r https://packages.wolfi.dev/os -k https://packages.wolfi.dev/os/wolfi-signing.rsa.pub --signing-key ./melange.rsa replayout.melange.yaml)
 (cd internal/cli &&
   apko lock ./testdata/apko.yaml)
+
+(cd pkg/build/testdata && \
+  melange build --arch arm64 --arch amd64 -r https://packages.wolfi.dev/os -k https://packages.wolfi.dev/os/wolfi-signing.rsa.pub --signing-key ./melange.rsa pretend-baselayout.melange.yaml && \
+  melange build --arch arm64 --arch amd64 -r https://packages.wolfi.dev/os -k https://packages.wolfi.dev/os/wolfi-signing.rsa.pub --signing-key ./melange.rsa replayout.melange.yaml && \
+  melange build --arch arm64 --arch amd64 -r https://packages.wolfi.dev/os -k https://packages.wolfi.dev/os/wolfi-signing.rsa.pub --signing-key ./melange.rsa custom-ca-certs-1.melange.yaml && \
+  melange build --arch arm64 --arch amd64 -r https://packages.wolfi.dev/os -k https://packages.wolfi.dev/os/wolfi-signing.rsa.pub --signing-key ./melange.rsa custom-ca-certs-2.melange.yaml)

internal/cli/testdata/apko-certs.yaml

@@ -0,0 +1,13 @@
+contents:
+  keyring:
+    - ./testdata/melange.rsa.pub
+  repositories:
+    - ./testdata/packages
+  packages:
+    - pretend-baselayout
+    - custom-ca-certs-1
+    - custom-ca-certs-2
+
+archs:
+- x86_64
+- aarch64

internal/cli/testdata/apko.lock.json

@@ -1,7 +1,7 @@
 {
   "version": "v1",
   "config": {
-    "name": "apko.yaml",
+    "name": "./testdata/apko.yaml",
     "checksum": "sha256-eal7+HCFuOLz/8m3vNO5cYyNK0Zw7AphCcsc76TbTXg="
   },
   "contents": {
@@ -33,74 +33,74 @@
         "architecture": "x86_64",
         "signature": {
           "range": "bytes=0-646",
-          "checksum": "sha1-S+THz+JYZxcNzNCw2jI9YlnDnE4="
+          "checksum": "sha1-68yfL6gzfID2sG0l2m9khSnrHig="
         },
         "control": {
-          "range": "bytes=647-1628",
-          "checksum": "sha1-m6wB0UFePGN8Drz82pC8y2uAiu8="
+          "range": "bytes=647-1619",
+          "checksum": "sha1-0pftHGkSOuPehxNPoB/52LsrvTk="
         },
         "data": {
-          "range": "bytes=1629-2929",
-          "checksum": "sha256-ckBapsaMu5EOb/e4Ei1s2l/+dZMEamHhUmaoJ8yeZwg="
+          "range": "bytes=1620-2894",
+          "checksum": "sha256-e4vOfIRDmdiI4zvwn0HzwCSGiqo+kbHK9oVoVo2iE4k="
         },
-        "checksum": "Q1m6wB0UFePGN8Drz82pC8y2uAiu8="
+        "checksum": "Q10pftHGkSOuPehxNPoB/52LsrvTk="
       },
       {
         "name": "replayout",
         "url": "./testdata/packages/x86_64/replayout-1.0.0-r0.apk",
         "version": "1.0.0-r0",
         "architecture": "x86_64",
         "signature": {
-          "range": "bytes=0-646",
-          "checksum": "sha1-M3D5FSI+rv4Qe3oJqVtR1CvOVKE="
+          "range": "bytes=0-648",
+          "checksum": "sha1-bh0aokWFmMsoIMwQzUjWwzG41mI="
         },
         "control": {
-          "range": "bytes=647-1660",
-          "checksum": "sha1-1/HhSewwwOXgl0r0ffb0O0BRtYc="
+          "range": "bytes=649-1652",
+          "checksum": "sha1-vso1nLTdKAdZdSM0Oc+VCBCYEXQ="
         },
         "data": {
-          "range": "bytes=1661-2960",
-          "checksum": "sha256-zmiHBvaqKHsF8CxQeHa0M4mZKwj7T4T5kRe9VpTkXUw="
+          "range": "bytes=1653-2924",
+          "checksum": "sha256-1ktsXlwK2YiGK15dnF4pNsqXZmY+H29l4n2+Ft35Zc8="
         },
-        "checksum": "Q11/HhSewwwOXgl0r0ffb0O0BRtYc="
+        "checksum": "Q1vso1nLTdKAdZdSM0Oc+VCBCYEXQ="
       },
       {
         "name": "pretend-baselayout",
         "url": "./testdata/packages/aarch64/pretend-baselayout-1.0.0-r0.apk",
         "version": "1.0.0-r0",
         "architecture": "aarch64",
         "signature": {
-          "range": "bytes=0-647",
-          "checksum": "sha1-DaCiv+fkcPqYlZ1j6qUAyjvaaWQ="
+          "range": "bytes=0-646",
+          "checksum": "sha1-MlQrXx8tSworVEXrBAV77FsYz5k="
         },
         "control": {
-          "range": "bytes=648-1628",
-          "checksum": "sha1-JQ8nfsxa27d0f6oa056sdT5IcJY="
+          "range": "bytes=647-1615",
+          "checksum": "sha1-gps8Z3kXGuweh5Pq6CIipzlMeTI="
         },
         "data": {
-          "range": "bytes=1629-2929",
-          "checksum": "sha256-cY5bE593kEpYKyqepLmkPc/RnAiPsIsm92XAHwi+U9I="
+          "range": "bytes=1616-2887",
+          "checksum": "sha256-kOx70Ra6+XGbU5e/t/eCq7ru/cCb7wnv7ZUG/2xsosE="
         },
-        "checksum": "Q1JQ8nfsxa27d0f6oa056sdT5IcJY="
+        "checksum": "Q1gps8Z3kXGuweh5Pq6CIipzlMeTI="
       },
       {
         "name": "replayout",
         "url": "./testdata/packages/aarch64/replayout-1.0.0-r0.apk",
         "version": "1.0.0-r0",
         "architecture": "aarch64",
         "signature": {
-          "range": "bytes=0-646",
-          "checksum": "sha1-/2EQJW+59r1Vbi3AxFA7e9brusw="
+          "range": "bytes=0-643",
+          "checksum": "sha1-P1v9vfM1t31NTc+wy5im2v54ksw="
         },
         "control": {
-          "range": "bytes=647-1655",
-          "checksum": "sha1-u62watWiRSQgVtAIuVuYoDOaVO4="
+          "range": "bytes=644-1643",
+          "checksum": "sha1-eUxA5oPQvmgJ8iEwDNWXCSHGMR0="
         },
         "data": {
-          "range": "bytes=1656-2954",
-          "checksum": "sha256-IMtgng48z5PaYwqYWLrGUKoaZUHFmigOnKRJ7KcmTQo="
+          "range": "bytes=1644-2915",
+          "checksum": "sha256-r/Rgw62p9qCiGteb7Uv2HEQsTTesiQjunKe77UhzPQ0="
         },
-        "checksum": "Q1u62watWiRSQgVtAIuVuYoDOaVO4="
+        "checksum": "Q1eUxA5oPQvmgJ8iEwDNWXCSHGMR0="
       }
     ]
   }

internal/cli/testdata/custom-ca-certs-1.melange.yaml

@@ -0,0 +1,71 @@
+package:
+  name: custom-ca-certs-1
+  version: 1.0.0
+  epoch: 0
+  description: "custom CA certificates package 1 (test)"
+  copyright:
+    - license: MIT
+  dependencies:
+    provides:
+      - custom-ca-certificates
+
+environment:
+  contents:
+    packages:
+      - busybox
+
+pipeline:
+  - name: Install certificates
+    runs: |
+      mkdir -p ${{targets.destdir}}/usr/local/share/ca-certificates
+      cat >${{targets.destdir}}/usr/local/share/ca-certificates/custom-1-cert-a.crt <<'CERTEOF'
+      -----BEGIN CERTIFICATE-----
+      MIIFmDCCA4CgAwIBAgIQU9C87nMpOIFKYpfvOHFHFDANBgkqhkiG9w0BAQsFADBm
+      MQswCQYDVQQGEwJVUzEzMDEGA1UEChMqKFNUQUdJTkcpIEludGVybmV0IFNlY3Vy
+      aXR5IFJlc2VhcmNoIEdyb3VwMSIwIAYDVQQDExkoU1RBR0lORykgUHJldGVuZCBQ
+      ZWFyIFgxMB4XDTE1MDYwNDExMDQzOFoXDTM1MDYwNDExMDQzOFowZjELMAkGA1UE
+      BhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0eSBSZXNl
+      YXJjaCBHcm91cDEiMCAGA1UEAxMZKFNUQUdJTkcpIFByZXRlbmQgUGVhciBYMTCC
+      AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALbagEdDTa1QgGBWSYkyMhsc
+      ZXENOBaVRTMX1hceJENgsL0Ma49D3MilI4KS38mtkmdF6cPWnL++fgehT0FbRHZg
+      jOEr8UAN4jH6omjrbTD++VZneTsMVaGamQmDdFl5g1gYaigkkmx8OiCO68a4QXg4
+      wSyn6iDipKP8utsE+x1E28SA75HOYqpdrk4HGxuULvlr03wZGTIf/oRt2/c+dYmD
+      oaJhge+GOrLAEQByO7+8+vzOwpNAPEx6LW+crEEZ7eBXih6VP19sTGy3yfqK5tPt
+      TdXXCOQMKAp+gCj/VByhmIr+0iNDC540gtvV303WpcbwnkkLYC0Ft2cYUyHtkstO
+      fRcRO+K2cZozoSwVPyB8/J9RpcRK3jgnX9lujfwA/pAbP0J2UPQFxmWFRQnFjaq6
+      rkqbNEBgLy+kFL1NEsRbvFbKrRi5bYy2lNms2NJPZvdNQbT/2dBZKmJqxHkxCuOQ
+      FjhJQNeO+Njm1Z1iATS/3rts2yZlqXKsxQUzN6vNbD8KnXRMEeOXUYvbV4lqfCf8
+      mS14WEbSiMy87GB5S9ucSV1XUrlTG5UGcMSZOBcEUpisRPEmQWUOTWIoDQ5FOia/
+      GI+Ki523r2ruEmbmG37EBSBXdxIdndqrjy+QVAmCebyDx9eVEGOIpn26bW5LKeru
+      mJxa/CFBaKi4bRvmdJRLAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
+      Af8EBTADAQH/MB0GA1UdDgQWBBS182Xy/rAKkh/7PH3zRKCsYyXDFDANBgkqhkiG
+      9w0BAQsFAAOCAgEAncDZNytDbrrVe68UT6py1lfF2h6Tm2p8ro42i87WWyP2LK8Y
+      nLHC0hvNfWeWmjZQYBQfGC5c7aQRezak+tHLdmrNKHkn5kn+9E9LCjCaEsyIIn2j
+      qdHlAkepu/C3KnNtVx5tW07e5bvIjJScwkCDbP3akWQixPpRFAsnP+ULx7k0aO1x
+      qAeaAhQ2rgo1F58hcflgqKTXnpPM02intVfiVVkX5GXpJjK5EoQtLceyGOrkxlM/
+      sTPq4UrnypmsqSagWV3HcUlYtDinc+nukFk6eR4XkzXBbwKajl0YjztfrCIHOn5Q
+      CJL6TERVDbM/aAPly8kJ1sWGLuvvWYzMYgLzDul//rUF10gEMWaXVZV51KpS9DY/
+      5CunuvCXmEQJHo7kGcViT7sETn6Jz9KOhvYcXkJ7po6d93A/jy4GKPIPnsKKNEmR
+      xUuXY4xRdh45tMJnLTUDdC9FIU0flTeO9/vNpVA8OPU1i14vCz+MU8KX1bV3GXm/
+      fxlB7VBBjX9v5oUep0o/j68R/iDlCOM4VVfRa8gX6T2FU7fNdatvGro7uQzIvWof
+      gN9WUwCbEMBy/YhBSrXycKA8crgGg3x1mIsopn88JKwmMBa68oS7EHM9w7C4y71M
+      7DiA+/9Qdp9RBWJpTS9i/mDnJg1xvo8Xz49mrrgfmcAXTCJqXi24NatI3Oc=
+      -----END CERTIFICATE-----
+      CERTEOF
+      cat >${{targets.destdir}}/usr/local/share/ca-certificates/custom-1-cert-b.crt <<'CERTEOF'
+      -----BEGIN CERTIFICATE-----
+      MIICTjCCAdSgAwIBAgIRAIPgc3k5LlLVLtUUvs4K/QcwCgYIKoZIzj0EAwMwaDEL
+      MAkGA1UEBhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0
+      eSBSZXNlYXJjaCBHcm91cDEkMCIGA1UEAxMbKFNUQUdJTkcpIEJvZ3VzIEJyb2Nj
+      b2xpIFgyMB4XDTIwMDkwNDAwMDAwMFoXDTQwMDkxNzE2MDAwMFowaDELMAkGA1UE
+      BhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0eSBSZXNl
+      YXJjaCBHcm91cDEkMCIGA1UEAxMbKFNUQUdJTkcpIEJvZ3VzIEJyb2Njb2xpIFgy
+      MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEOvS+w1kCzAxYOJbA06Aw0HFP2tLBLKPo
+      FQqR9AMskl1nC2975eQqycR+ACvYelA8rfwFXObMHYXJ23XLB+dAjPJVOJ2OcsjT
+      VqO4dcDWu+rQ2VILdnJRYypnV1MMThVxo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD
+      VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU3tGjWWQOwZo2o0busBB2766XlWYwCgYI
+      KoZIzj0EAwMDaAAwZQIwRcp4ZKBsq9XkUuN8wfX+GEbY1N5nmCRc8e80kUkuAefo
+      uc2j3cICeXo1cOybQ1iWAjEA3Ooawl8eQyR4wrjCofUE8h44p0j7Yl/kBlJZT8+9
+      vbtH7QiVzeKCOTQPINyRql6P
+      -----END CERTIFICATE-----
+      CERTEOF

internal/cli/testdata/custom-ca-certs-2.melange.yaml

@@ -0,0 +1,48 @@
+package:
+  name: custom-ca-certs-2
+  version: 1.0.0
+  epoch: 0
+  description: "custom CA certificates package 2 (test)"
+  copyright:
+    - license: MIT
+  dependencies:
+    provides:
+      - custom-ca-certificates
+
+environment:
+  contents:
+    packages:
+      - busybox
+
+pipeline:
+  - name: Install certificates
+    runs: |
+      mkdir -p ${{targets.destdir}}/usr/local/share/ca-certificates
+      cat >${{targets.destdir}}/usr/local/share/ca-certificates/custom-2-cert-c.crt <<'CERTEOF'
+      -----BEGIN CERTIFICATE-----
+      MIIBwjCCAWegAwIBAgIUBKZDifzRAz30jwlcoQLIOxkBPLMwCgYIKoZIzj0EAwIw
+      NTEeMBwGA1UEAwwVVGVzdCBDQSBDZXJ0aWZpY2F0ZSAzMRMwEQYDVQQKDApUZXN0
+      IE9yZyAzMCAXDTI2MDIyNzIwMzk1OVoYDzIxMjYwMjAzMjAzOTU5WjA1MR4wHAYD
+      VQQDDBVUZXN0IENBIENlcnRpZmljYXRlIDMxEzARBgNVBAoMClRlc3QgT3JnIDMw
+      WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARx/10O/q2rOnQtpBXHjARAUryfNWjD
+      UXeshzFk44hrv45loTsGQcyb5vAL6h3FSdBN91njUch4eF1NEYLKoR3Qo1MwUTAd
+      BgNVHQ4EFgQUhLbWEa0IUIixKPBVvuKxhK6UMnMwHwYDVR0jBBgwFoAUhLbWEa0I
+      UIixKPBVvuKxhK6UMnMwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNJADBG
+      AiEAqgTlOPOiNJLPJhMjRl9Zpaq6TTGfh+awe7N3fcEdHVICIQDfgVRRkuv1KTWk
+      44YBh2/IaTSFwFo8cd39Fnv7CYi/2g==
+      -----END CERTIFICATE-----
+      CERTEOF
+      cat >${{targets.destdir}}/usr/local/share/ca-certificates/custom-2-cert-d.crt <<'CERTEOF'
+      -----BEGIN CERTIFICATE-----
+      MIIBwTCCAWegAwIBAgIUPrm4YvABD98JhdU93qPsAgryo0UwCgYIKoZIzj0EAwIw
+      NTEeMBwGA1UEAwwVVGVzdCBDQSBDZXJ0aWZpY2F0ZSA0MRMwEQYDVQQKDApUZXN0
+      IE9yZyA0MCAXDTI2MDIyNzIwNDAwMFoYDzIxMjYwMjAzMjA0MDAwWjA1MR4wHAYD
+      VQQDDBVUZXN0IENBIENlcnRpZmljYXRlIDQxEzARBgNVBAoMClRlc3QgT3JnIDQw
+      WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQbR9hBg7/IeSBYJzUvBUxnnaNmoOJj
+      ESG5CiOa2980CC5aixcLof5kk/9K16B+OLIGSUE+Ya98N0vNP8KmDmvBo1MwUTAd
+      BgNVHQ4EFgQU6ZlpZtkvodhxZX1aRsM44dY0SJ8wHwYDVR0jBBgwFoAU6ZlpZtkv
+      odhxZX1aRsM44dY0SJ8wDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBF
+      AiARCNSY4WZ7Tl1oAmWghJz0Sxzi57JY4pdrvzyzYQNrhgIhAPMAzTOf33fVRhaX
+      wB7TKj2HAGTDpoliTH80SMWJN3jK
+      -----END CERTIFICATE-----
+      CERTEOF