feat: remove locally hosted ca-certificates

packages/ca-certificates/Containerfile

@@ -1,9 +1,40 @@
-FROM scratch as base
-ENV VERSION=20240215
+FROM scratch AS base
 
-FROM base as install
+ENV SRC_1_VERSION=NSS_3_100_RTM
+ENV SRC_1_HASH=4d96bd539f4719e9ace493757afbe4a23ee8579de1c97fbebc50bba3c12e8c1e
+ENV SRC_1_FILE=certdata.txt
+ENV SRC_1_SITE=https://hg.mozilla.org/projects/nss/raw-file/${SRC_1_VERSION}/lib/ckfw/builtins/${SRC_1_FILE}
+
+ENV SRC_2_VERSION=20240315
+ENV SRC_2_HASH=0a6f1ac76c722353492a44c365afb74638971beb4de4349cee0c881db1b8f6df
+ENV SRC_2_FILE=ca-certificates-${SRC_2_VERSION}.tar.gz
+ENV SRC_2_SITE=https://gitlab.alpinelinux.org/alpine/ca-certificates/-/archive/${SRC_2_VERSION}/${SRC_2_FILE}
+
+FROM base AS fetch
+ADD --checksum=sha256:${SRC_1_HASH} ${SRC_1_SITE} /
+ADD --checksum=sha256:${SRC_2_HASH} ${SRC_2_SITE} /
+
+FROM fetch AS build
 COPY --from=stagex/busybox . /
-COPY cacert.pem /rootfs/etc/ssl/certs/ca-certificates.crt
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/openssl . /
+COPY --from=stagex/perl . /
+RUN tar -xf ca-certificates-${SRC_2_VERSION}.tar.gz
+WORKDIR ca-certificates-${SRC_2_VERSION}
+RUN --network=none <<-EOF
+	set -eux
 
-FROM stagex/filesystem as package
+	rm -f ./certdata.txt
+	mv ../certdata.txt ./certdata.txt
+	make
+EOF
+
+FROM build as install
+RUN --network=none make install DESTDIR=/rootfs
+RUN --network=none mv cert.pem /rootfs/etc/ssl/certs/ca-certificates.crt
+
+FROM stagex/filesystem AS package
 COPY --from=install /rootfs/. /

packages/curl/Containerfile

@@ -14,6 +14,7 @@ COPY --from=stagex/make . /
 COPY --from=stagex/musl . /
 COPY --from=stagex/gcc . /
 COPY --from=stagex/openssl . /
+COPY --from=stagex/ca-certificates . /
 RUN tar -xf curl-${VERSION}.tar.xz
 WORKDIR curl-${VERSION}
 RUN --network=none <<-EOF