From 4fc4456ccd57f113801c4332bb31b23d9ccb1bdb Mon Sep 17 00:00:00 2001 From: Asish Kumar Date: Wed, 20 May 2026 13:05:41 +0530 Subject: [PATCH] fix: include CA certificates in the pack base image The delivery-docker workflow builds the Dockerfile twice: the tiny image (buildpacksio/pack and :latest) from gcr.io/distroless/static, and the base image (buildpacksio/pack:-base and :base) from ubuntu:jammy. The distroless base bundles a CA certificate store, but the ubuntu:jammy image does not ship the ca-certificates package. As a result the -base image has no trusted roots, and any pack command that talks to a registry over TLS fails: ERROR: ... Get "https://index.docker.io/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority Copy the CA bundle from the golang builder stage (which is Debian based and includes ca-certificates) into the final image. This restores trusted roots for the ubuntu:jammy -base image and is a harmless no-op for the distroless image, which already ships the same bundle at that path, so a single line fixes every published base image. Verified by building the Dockerfile with both base images and performing an HTTPS request to a registry from inside each: ubuntu:jammy fails without the copy and succeeds with it, and the distroless image keeps working. Resolves #2488 Signed-off-by: Asish Kumar --- Dockerfile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Dockerfile b/Dockerfile index 1ccb2e790..4c915ca2a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,5 +9,10 @@ COPY . . RUN make build FROM ${base_image} +# Ensure CA certificates are present so pack can make TLS connections (e.g. to +# pull builder and run images from registries). The distroless base bundles +# them, but ubuntu:jammy used for the -base image does not, so copy the bundle +# from the builder stage to cover every base image. See #2488. +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt COPY --from=builder /app/out/pack /usr/local/bin/pack ENTRYPOINT [ "/usr/local/bin/pack" ]