Automatically add trusted CAs from host system

[jshbrntt]

Is your feature request related to a problem? Please describe.
I'm behind a corporate firewall which uses SSL filtering to decrypt HTTPS traffic for security scanning, before re-encrypting the response and sending it along.

My system is managed and the corporate firewall's CA certificate is trusted, therefore it does not cause requests made on the host to fail due to invalid SSL certificates.

However, containers running under OrbStack will fail because this trusted CA certificate is missing.

Docker Desktop does not have this issue because of the following feature.

Add custom CA certificates (server side)
All trusted CAs (root or intermediate) are supported. Docker Desktop creates a certificate bundle of all user-trusted CAs based on the Mac Keychain, and appends it to Moby trusted certificates. So if an enterprise SSL certificate is trusted by the user on the host, it is trusted by Docker Desktop.

See the following.

$ docker --context desktop-linux run --rm alpine:latest@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c wget https://registry-1.docker.io/v2/
Connecting to registry-1.docker.io (98.85.153.80:443)
wget: server returned error: HTTP/1.1 401 Unauthorized

$ docker --context orbstack run --rm alpine:latest@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c wget https://registry-1.docker.io/v2/     
Connecting to registry-1.docker.io (98.85.153.80:443)
206DE3B3FFFF0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2103:
ssl_client: SSL_connect
wget: error getting response: Connection reset by peer

Describe the solution you'd like
Implement the same feature as Docker Desktop so trusted CAs from the host are also trusted in containers or by the container runtime.

Describe alternatives you've considered
Manually exporting the trusted CA and either mounting it or embedding it in all built container images, is extremely laborious and means we have to build development environment specific container images.

[slinorb]

You can run curl -v -k https://registry-1.docker.io/v2/ to figure out which certificate from the proxy server is not trusted. OrbStack does import the trusted CA certificates from keychains.