fix: ship CA bundle in layered image for kms-client TLS

packages/sdk/src/client/common/templates/Dockerfile.layered.tmpl

@@ -11,6 +11,11 @@ USER root
 {{/if}}
 
 # Copy core TEE components
+# CA bundle for kms-client / tls-keygen to validate HTTPS calls to
+# eigencloud.xyz endpoints. Bundled at a non-standard path and consumed
+# only via SSL_CERT_FILE in compute-source-env.sh, so the user's
+# /etc/ssl/ is never touched.
+COPY --from=alpine:3.20.10 /etc/ssl/certs/ca-certificates.crt /usr/local/share/eigenx-ca-certs.crt
 COPY compute-source-env.sh /usr/local/bin/
 COPY kms-client /usr/local/bin/
 COPY kms-signing-public-key.pem /usr/local/bin/

packages/sdk/src/client/common/templates/compute-source-env.sh.tmpl

@@ -3,7 +3,7 @@ echo "compute-source-env.sh: Running setup script..."
 
 # Fetch and source environment variables from KMS
 echo "Fetching secrets from KMS..."
-if /usr/local/bin/kms-client \
+if SSL_CERT_FILE=/usr/local/share/eigenx-ca-certs.crt /usr/local/bin/kms-client \
   --kms-server-url "{{kmsServerURL}}" \
   --kms-signing-key-file /usr/local/bin/kms-signing-public-key.pem \
   --userapi-url "{{userAPIURL}}" \
@@ -61,7 +61,8 @@ setup_tls() {
 
     echo "compute-source-env.sh: Obtaining TLS certificate using $challenge challenge..."
     # Pass the API URL for certificate persistence
-    if ! MNEMONIC="$mnemonic" DOMAIN="$domain" API_URL="{{userAPIURL}}" /usr/local/bin/tls-keygen \
+    if ! SSL_CERT_FILE=/usr/local/share/eigenx-ca-certs.crt \
+       MNEMONIC="$mnemonic" DOMAIN="$domain" API_URL="{{userAPIURL}}" /usr/local/bin/tls-keygen \
         -challenge "$challenge" \
         $staging_flag; then
         echo "compute-source-env.sh: ERROR - Failed to obtain TLS certificate"