Update ca-certificates to be based on Alpine and use nested build

We were using Debian but Alpine more consistent. Use nested build.

Currently extract the hash in a nasty way but this can be fixed later
when we switch over hashing method.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>

pkg/ca-certificates/Dockerfile

@@ -1,7 +1,8 @@
-FROM debian:testing
+FROM alpine:3.5 as alpine
 
-ENV DEBIAN_FRONTEND=noninteractive
-RUN apt-get update && apt-get -yq upgrade && apt-get install -yq ca-certificates
+RUN apk update && apk upgrade -a && apk add --no-cache ca-certificates
 
-RUN printf "FROM scratch\nCOPY /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/\n" > Dockerfile
-CMD ["tar", "cf", "-", "Dockerfile", "etc/ssl/certs/ca-certificates.crt"]
+FROM scratch
+ENTRYPOINT []
+WORKDIR /
+COPY --from=alpine /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

pkg/ca-certificates/Makefile

@@ -1,16 +1,19 @@
 .PHONY: tag push
 
-BASE=debian:testing
+BASE=alpine:3.5
 IMAGE=ca-certificates
 
+SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
+
 default: push
 
 hash: Dockerfile
 	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
-	tar cf - $^ | docker build --no-cache -t $(IMAGE):build0 -
-	docker run --rm $(IMAGE):build0 | docker build --no-cache -t $(IMAGE):build -
-	docker run --rm -i $(IMAGE):build0 sh -c "cat /etc/ssl/certs/ca-certificates.crt /etc/debian_version | sha1sum - | sed 's/ .*//'" > $@
-	docker rmi $(IMAGE):build0
+	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
+	CONTAINER=$$(docker create $(IMAGE):build /dev/null); \
+		mkdir tmp && docker export $${CONTAINER} | tar xf - -C tmp && \
+		cat tmp/etc/ssl/certs/ca-certificates.crt | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > $@ && \
+		rm -rf tmp && docker rm $${CONTAINER}
 
 push: hash
 	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
@@ -26,6 +29,6 @@ tag: hash
 	rm -f hash
 
 clean:
-	rm -f hash
+	rm -f hash tmp
 
 .DELETE_ON_ERROR: