From eabf8086d96ad209e2cf2204ade2e93ca1d336c8 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 31 Mar 2026 08:12:29 +0000
Subject: [PATCH 1/2] Initial plan


From 2cd24b93b5d49182814ceb9a6d268bec82520b99 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 31 Mar 2026 08:19:06 +0000
Subject: [PATCH 2/2] Add ca-certificates feature

Agent-Logs-Url: https://github.com/devcontainer-community/devcontainer-features/sessions/18ee34fb-f22d-4fe1-854d-a3d77f181f05

Co-authored-by: sebst <592313+sebst@users.noreply.github.com>
---
 README.md                                     |  1 +
 src/ca-certificates/NOTES.md                  | 17 +++++
 src/ca-certificates/devcontainer-feature.json | 14 ++++
 src/ca-certificates/install.sh                | 65 +++++++++++++++++++
 test/ca-certificates/test.sh                  | 18 +++++
 5 files changed, 115 insertions(+)
 create mode 100644 src/ca-certificates/NOTES.md
 create mode 100644 src/ca-certificates/devcontainer-feature.json
 create mode 100755 src/ca-certificates/install.sh
 create mode 100755 test/ca-certificates/test.sh

diff --git a/README.md b/README.md
index f3ab8ea..c3c8aa1 100644
--- a/README.md
+++ b/README.md
@@ -23,6 +23,7 @@
 | [biomejs.dev](https://github.com/devcontainer-community/devcontainer-features/tree/main/src/biomejs.dev) | `biome` — fast JS/TS formatter and linter | gh release | 1.0.1 |
 | [btop](https://github.com/devcontainer-community/devcontainer-features/tree/main/src/btop) | `btop` — resource monitor (CPU, memory, network, processes) | gh release | 1.0.3 |
 | [bun.sh](https://github.com/devcontainer-community/devcontainer-features/tree/main/src/bun.sh) | `bun` — fast JS runtime and package manager | curl | 1.0.0 |
+| [ca-certificates](https://github.com/devcontainer-community/devcontainer-features/tree/main/src/ca-certificates) | `ca-certificates` — install CA certificates and optionally add custom ones from URLs | apt | 1.0.0 |
 | [ccache.dev](https://github.com/devcontainer-community/devcontainer-features/tree/main/src/ccache.dev) | `ccache` — compiler cache for faster C/C++ recompilation | apt | 1.0.0 |
 | [charmbracelet/gum](https://github.com/devcontainer-community/devcontainer-features/tree/main/src/charmbracelet-gum) | `gum` — building blocks for shell scripts | gh release | 1.0.4 |
 | [chezmoi.io](https://github.com/devcontainer-community/devcontainer-features/tree/main/src/chezmoi.io) | `chezmoi` — dotfiles manager across machines | gh release | 1.0.2 |
diff --git a/src/ca-certificates/NOTES.md b/src/ca-certificates/NOTES.md
new file mode 100644
index 0000000..91da43f
--- /dev/null
+++ b/src/ca-certificates/NOTES.md
@@ -0,0 +1,17 @@
+# ca-certificates
+
+## Project
+
+- [ca-certificates](https://packages.debian.org/stable/ca-certificates)
+
+## Description
+
+Installs the `ca-certificates` package, which provides common CA certificates for SSL/TLS certificate verification. Optionally downloads additional custom CA certificates from specified URLs and registers them with `update-ca-certificates`.
+
+## Installation Method
+
+Installed via the system package manager (`apt`). Additional certificates are downloaded with `wget` or `curl` (installing `curl` if neither is available) and placed in `/usr/local/share/ca-certificates`, then registered via `update-ca-certificates`.
+
+## Other Notes
+
+_No additional notes._
diff --git a/src/ca-certificates/devcontainer-feature.json b/src/ca-certificates/devcontainer-feature.json
new file mode 100644
index 0000000..7b7b1b2
--- /dev/null
+++ b/src/ca-certificates/devcontainer-feature.json
@@ -0,0 +1,14 @@
+{
+    "name": "ca-certificates",
+    "id": "ca-certificates",
+    "version": "1.0.0",
+    "description": "Install \"ca-certificates\" and optionally add custom CA certificates from URLs",
+    "documentationURL": "https://github.com/devcontainer-community/devcontainer-features/tree/main/src/ca-certificates",
+    "options": {
+        "urls": {
+            "type": "string",
+            "default": "",
+            "description": "Newline-separated list of URLs to download as additional CA certificates into /usr/local/share/ca-certificates."
+        }
+    }
+}
diff --git a/src/ca-certificates/install.sh b/src/ca-certificates/install.sh
new file mode 100755
index 0000000..9b013b3
--- /dev/null
+++ b/src/ca-certificates/install.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+set -o errexit
+set -o pipefail
+set -o noclobber
+set -o nounset
+set -o allexport
+readonly name="ca-certificates"
+readonly caCertificatesDir="/usr/local/share/ca-certificates"
+apt_get_update() {
+    if [ "$(find /var/lib/apt/lists/* | wc -l)" = "0" ]; then
+        echo "Running apt-get update..."
+        apt-get update -y
+    fi
+}
+apt_get_checkinstall() {
+    if ! dpkg -s "$@" >/dev/null 2>&1; then
+        apt_get_update
+        DEBIAN_FRONTEND=noninteractive apt-get -y install --no-install-recommends --no-install-suggests --option 'Debug::pkgProblemResolver=true' --option 'Debug::pkgAcquire::Worker=1' "$@"
+    fi
+}
+apt_get_cleanup() {
+    apt-get clean
+    rm -rf /var/lib/apt/lists/*
+}
+echo_banner() {
+    local text="$1"
+    echo -e "\e[1m\e[97m\e[41m$text\e[0m"
+}
+download_file() {
+    local url=$1
+    local target=$2
+    if command -v wget >/dev/null 2>&1; then
+        wget -q -O "$target" "$url"
+    elif command -v curl >/dev/null 2>&1; then
+        curl -fsSL -o "$target" "$url"
+    else
+        apt_get_checkinstall curl
+        curl -fsSL -o "$target" "$url"
+    fi
+}
+install() {
+    apt_get_checkinstall ca-certificates
+    if [ -n "${URLS:-}" ]; then
+        mkdir -p "$caCertificatesDir"
+        while IFS= read -r url; do
+            url="$(echo "$url" | tr -d '[:space:]')"
+            if [ -n "$url" ]; then
+                echo "Downloading certificate from $url..."
+                local filename
+                filename="$(basename "$url" | tr -cd 'a-zA-Z0-9._-')"
+                if [ -z "$filename" ]; then
+                    echo "Skipping '$url': could not derive a safe filename."
+                    continue
+                fi
+                download_file "$url" "$caCertificatesDir/$filename"
+            fi
+        done <<< "$URLS"
+        update-ca-certificates
+    fi
+    apt_get_cleanup
+}
+echo_banner "devcontainer.community"
+echo "Installing $name..."
+install "$@"
+echo "(*) Done!"
diff --git a/test/ca-certificates/test.sh b/test/ca-certificates/test.sh
new file mode 100755
index 0000000..bb26aac
--- /dev/null
+++ b/test/ca-certificates/test.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -e
+
+# Optional: Import test library bundled with the devcontainer CLI
+# See https://github.com/devcontainers/cli/blob/HEAD/docs/features/test.md#dev-container-features-test-lib
+# Provides the 'check' and 'reportResults' commands.
+source dev-container-features-test-lib
+
+# Feature-specific tests
+# The 'check' command comes from the dev-container-features-test-lib. Syntax is...
+# check <LABEL> <cmd> [args...]
+check "ca-certificates installed" test -f /etc/ssl/certs/ca-certificates.crt
+check "update-ca-certificates available" bash -c "command -v update-ca-certificates"
+
+# Report results
+# If any of the checks above exited with a non-zero exit code, the test will fail.
+reportResults