Building using an image from a private repository results in "x509: certificate signed by unknown authority".

[chriseaton]

When our docker file specifies an image in a private repo, it causes the oci-build-task to fail. As far I could tell there's no way to specify a custom CA.

ERROR: failed to do request: Head "https://our-private-repo/v2/shared/centos/manifests/latest": x509: certificate signed by unknown authority

[CJLove]

Here's a possible workaround, with the downside that you're basically forking the official oci-build-task image and using it in the interim:

1. Build your own oci-build-task image with a Dockerfile like this to add your ca.crt file to the image, and push to your private registry

FROM docker.io/concourse/oci-build-task:latest

COPY ca.crt /usr/local/share/ca-certificates/

RUN update-ca-certificates

2. In your pipeline specify your oci-build-task image in place of the official one

...
  - task: build-task-image
    privileged: true
    config:
      platform: linux
      image_resource:
        type: registry-image
        source:
          repository: fir.love.io:3005/amd64/oci-build-task
          # repository: concourse/oci-build-task
          tag: latest
...

[lrstanley]

Related, that has a bit cleaner temporary solution that doesn't require making a custom image: #70 (comment)

Looking at the code, however, I believe adding an input for custom certs/ca should be pretty easy.