Custom Certificates

[henrysachs]

Hey There,

Just as a heads up i also created: #66926
because I'm not sure if its more of an issue or a q&a

in my company we have a lot of internal certificates that i want to share via an apk package as the wolfi os package is doing it themselves.

But when trying to add my certificates to the "default" ones I receive:

2025/09/19 14:35:03 INFO error during command execution: building "amd64" layer: installing apk packages: installing packages: installing certificates-stack (ver:0.0.1-r0 arch:x86_64): unable to install files for pkg certificates-stack: writing header for "etc/ssl/certs/ca-certificates.crt": packages map[ca-certificates-bundle:ca-certificates certificates-stack:certificates-stack] has conflicting file: "etc/ssl/certs/ca-certificates.crt"

so what would be the preferred way in wolfi to do so?

I found out about incert, but as i build the images myself i don't want to build them and than "recreate" the image just to add certificates.

What I'm trying to achieve with my solution is that all internal images that we build are able to just add the certificates by using that package.

[xnox]

@henrysachs

When using melange to create an .apk package, which has file conflicts with another package one has to provide a resolution if that is expected. In the package that should win, please declare package names that ship files that you want replaced. In case of multiple of such replaces, there is replaces priority as well - but that is rarely used.

Schema:

• https://github.com/chainguard-dev/melange/blob/8772644a1be7357c644b3003d2a25b7d2fd2988f/pkg/config/schema.json#L245

Example:

• os/libxcrypt.yaml

  Line 13 in 85c498a

  dependencies:

In your case it would be something like this:

package:
  name: mycompany-certs-bundle
  ...
  dependencies:
    replaces:
      - ca-certificates-bundle

Note in addition to replaces, you may also want to declare provides as well, such that your package alone is enough to satisfy any dependencies on ca-certificates-bundle.

  dependencies:
     replaces:
       - ca-certificates-bundle
     provides:
       - ca-certificates-bundle

It may help to resolve dependencies such that your bundle is installed alone, without pulling in Chainguard OS certificate bundle.

[henrysachs]

yeah i did try to use replaces and provides but unfortunately when installing a package such as curl i receive the following error:

apko build apko.yaml apko-wolfi:test apko-wolfi.tar --ignore-signatures
Error: locking config: resolving apk packages: for arch "arm64": solving "curl" constraint: resolving "curl-8.16.0-r1.apk" deps:
solving "libcurl" constraint: resolving "libcurl-8.16.0-r1.apk" deps:
solving "ca-certificates-bundle" constraint: ca-certificates-bundle-20250619-r0.apk disqualified because certificates-stack-0.0.1-r0.apk already provides ca-certificates-bundle
for arch "amd64": solving "curl" constraint: resolving "curl-8.16.0-r1.apk" deps:
solving "libcurl" constraint: resolving "libcurl-8.16.0-r1.apk" deps:
solving "ca-certificates-bundle" constraint: ca-certificates-bundle-20250619-r0.apk disqualified because certificates-stack-0.0.1-r0.apk already provides ca-certificates-bundle
2025/09/23 11:15:22 INFO error during command execution: locking config: resolving apk packages: for arch "arm64": solving "curl" constraint: resolving "curl-8.16.0-r1.apk" deps:
solving "libcurl" constraint: resolving "libcurl-8.16.0-r1.apk" deps:
solving "ca-certificates-bundle" constraint: ca-certificates-bundle-20250619-r0.apk disqualified because certificates-stack-0.0.1-r0.apk already provides ca-certificates-bundle
for arch "amd64": solving "curl" constraint: resolving "curl-8.16.0-r1.apk" deps:
solving "libcurl" constraint: resolving "libcurl-8.16.0-r1.apk" deps:
solving "ca-certificates-bundle" constraint: ca-certificates-bundle-20250619-r0.apk disqualified because certificates-stack-0.0.1-r0.apk already provides ca-certificates-bundle

this is my test apko file:

contents:
  repositories:
    - '@local /Users/henrysachs/projects/chainguard/certificates-stack/packages'
    - https://packages.wolfi.dev/os
  keyring:
    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
  packages:
    - wolfi-baselayout
    - bash  
    - certificates-stack@local
    - curl
    - openssl

archs:
  - x86_64
  - aarch64

entrypoint:
  command: "/bin/bash"
accounts:
  groups:
    - groupname: henry
      gid: 10000
  users:
    - username: henry
      uid: 10000

[xnox]

Your best option is to use replaces without provides, such that your custom package is co-installable with ca-certificates-bundle.
OR
or to have provides with full version ca-certificates-bundle=${{package.full-version}} => but the issue there is that your provided versions should then be higher than any ca-certificates-bundle version ever, as if starting with 3000..., to be higher than 2025.... version of the bundle, thus something like ca-certificates-bundle=30000101.${{package.full-version}} which might be confusing.

In general however, it is recommended to either use incert - or to use the Chainguard Console, which will soon have a feature to upload certificate bundle and apply to all of your images in the catalog.

[henrysachs]

yeah i went with the route of just using replace. I still want the ca-certificates-bundle and just add my certificates to it. Thanks a lot for the claryfication on the parameters!