Fix CA certificate processing when a certificate is a symlink (#558)

Usually, a certificate in a mount will be a regular file. However in some environments, like when providing certificates
via a `ConfigMap` in a Kubernetes context, the certificate file will be a symlink. Our CA certificate processing copies
certificate files to a new location and since the symlink targets are hidden files in the same directory, those do not
get copied along and symlinks could become broken. This patch dereferences symlinks when copying to avoid broken links.

Signed-off-by: Nikolai Prokoschenko <[email protected]>
Co-authored-by: Martijn Verburg <[email protected]>

.test/tests/java-ca-certificates-update/certs_symlink/.dockerbuilder.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRTCCAi2gAwIBAgIUIfl8I/yasxlsTEc30PLLRuleiCswDQYJKoZIhvcNAQEL
+BQAwMTEXMBUGCgmSJomT8ixkARkWB1RlbXVyaW4xFjAUBgNVBAMMDURvY2tlckJ1
+aWxkZXIwIBcNMjMwNjEyMTgyNDE1WhgPMzAwMzA4MTQxODI0MTVaMDExFzAVBgoJ
+kiaJk/IsZAEZFgdUZW11cmluMRYwFAYDVQQDDA1Eb2NrZXJCdWlsZGVyMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArfOgmluNXEIE7BWvt7jGgdZW/y5s
+N78FcpZdM8Z2FatvjJKvNmJ9OkkkOSNBhGKAWpHn19JMNdQ2nEmTHMetg0hiSqRI
+hBceAY4lDfOzxAyZGGpVzL9U1B9mOrX5O3EedF5AVvl0NZVjEwswuGaUa3zZBAKy
+Z5Vv/z8Lw2uYIs/dtw8lcpEAb78BZ8bAhhhl+X+tTGK8agibLGQJT9l/JxS3pXyw
+me4YaKQQRgvuqOTEt+x+0aA5E2EUTOGq0Li+i1ranf6ou5Dz/Y6LtXwT/j2bf4ZR
+w2YHpYZL54UEtMWES2KAjsZ3u4DCxUIEfW8EgxUIhcepIDP1h05A3fSiWQIDAQAB
+o1MwUTAdBgNVHQ4EFgQUr0VirSzDQTuNgGjDxRkxPFrjUKcwHwYDVR0jBBgwFoAU
+r0VirSzDQTuNgGjDxRkxPFrjUKcwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
+AQsFAAOCAQEAlo6ZSAIKSUWqRygyNg9oWuLGfWMW//dZjU1MKBYVpM4Mry/aMD5d
+kMQj9hm+zXhNYN01yLh/cdPKCQ/r1KP6lmCtZHp50Xe8HEnIymRYx0KMAcqYLjnT
+DXwCPqtWvJ1do65vVJRN70CuF8T1JNFhPdirrAiuU7bhGPABfnbek7yNkTYgUSdb
+WpV/WOFPh9Dl24vNl1/Cti+pQThlCgHF/+dVndFHN9FOOG8k8ohYkLwL+ZzKfOiZ
+CVWn2mWk2EhcuTlg/3zkXmwjfzFTdXMhS1sdfJNReaY/omJ91euxB0c8iYZV4wuU
+ghx+GJ14nO7RJNHNX4k+BBPxy3f56+cYrg==
+-----END CERTIFICATE-----

.test/tests/java-ca-certificates-update/certs_symlink/.dockerbuilder.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCt86CaW41cQgTs
+Fa+3uMaB1lb/Lmw3vwVyll0zxnYVq2+Mkq82Yn06SSQ5I0GEYoBakefX0kw11Dac
+SZMcx62DSGJKpEiEFx4BjiUN87PEDJkYalXMv1TUH2Y6tfk7cR50XkBW+XQ1lWMT
+CzC4ZpRrfNkEArJnlW//PwvDa5giz923DyVykQBvvwFnxsCGGGX5f61MYrxqCJss
+ZAlP2X8nFLelfLCZ7hhopBBGC+6o5MS37H7RoDkTYRRM4arQuL6LWtqd/qi7kPP9
+jou1fBP+PZt/hlHDZgelhkvnhQS0xYRLYoCOxne7gMLFQgR9bwSDFQiFx6kgM/WH
+TkDd9KJZAgMBAAECggEAAi4knsKpKn/xAATZO2LaFBcGZ0ji64Od/cduMB+w67PG
+yxAsmNsnqX3GBzROq3+GOdG3LPCSastNNZduJq/HAuH69Ly15E1GNOvzQXHtmHZg
+SzAhVqwK6WS3sI0xgZdOSSmZl1glkXqyRPMV333OUZbn68GykD331c8UZpTi5tlx
+qdOSEWwXQyVXh2mTT8uWWvqJm8OVaSUEo0KPNhsfWliINAXaDvlFle18wb0sQvAK
+d/49VMmEoQMocHcXas5jVHZZzxwQ8gV+cA1nFOzOEOYX1IyHjJdfEUWT7Pa3LEjg
+rPjEe/KiA3X9mVmofRG0Gvl8YjMiUEOBF/p9hgUxfQKBgQDY3oBUpkwhy3lRw2nu
+PublbozVZi12hrEPIlqLSIda6i0hbCA2E5VBykuP7z0VnQOiHQWQPJ77BYEzR6xw
+Z/PoJJL8knxtqVg9FsQlcsseDNW2THp53vf/Fiy4t+GoJZ7yezVyYI7RzngDPnCw
+buiYUsd9+uKo8+Gs0fnZGSuRvQKBgQDNVrS2/A8NKRv/3cddNqEN4m16pVmAJg8G
+Ww7t40W9c/lPW2SBH7wpEUW37N3b8lv1A8L24nJSbqiMjIkFxWroeOeFFEzKWp9r
+BlFUu0kn5oAOI1NJOEOmjR9+SslDXetKDJpon60GYWJ8ke5jfaYUTEWIxUXRYOsX
+mg8+L2iGzQKBgQCrzWiAptU9GIJdoZ8znCUysKdlDvMJKJ7vzFlKagTAoy9pgMzr
+ygu9+NJvjikoDCEqti8IGt4fIjc+NpOG4PM6fm7rI+jqvvMmQfjVaeE7RxOuvVtx
+XI++RwTauOFNYbBPjAfFOnUqBJTSjQ6c1t/we/OJ+8y/56RqUlXKBMSdSQKBgQDD
+Wz2dZduwCq9/0/FL5qB9hDHiYJPxDsR2qIVgoDyGjWLhNDM/ggDTFYK+BNXi3wbL
+6aNAnZpkgLFM3puyaOtYd0bVXsXcMzG+cglI0tI76tlkGgmv/J6oQ1V2IxKuTBmB
+ntH8vgWwr1Ay8efasf0jDJmPERhmpo2kK8daw2Hv9QKBgAaxusMUdCSBu5YwI6u4
+6d0nN6WdY2aVcgQXbhJEpsaxT9KqN+LP5wZNf08hyUiO4zSrfVOapOS+10Ng1EYi
+YQi8SjQd5deIc/jKKT5k9lCRcfhDq7YQo5pZbUgzDDuxod0WduvBnrf4zAl+K32V
+1HI3wrgh88qBEGASVY8y6rDH
+-----END PRIVATE KEY-----

.test/tests/java-ca-certificates-update/certs_symlink/README.md

@@ -0,0 +1 @@
+This certificate/key pair has been generated with `openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder" -keyout certs/dockerbuilder.key -out certs/dockerbuilder.crt` and is only used for testing

.test/tests/java-ca-certificates-update/certs_symlink/dockerbuilder.crt

@@ -0,0 +1 @@
+.dockerbuilder.crt

.test/tests/java-ca-certificates-update/expected-std-out.txt

@@ -1 +1 @@
-01010100010101010001
+010101000001010101000001

.test/tests/java-ca-certificates-update/run.sh

@@ -61,7 +61,14 @@ echo -n $?
 docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$1" "${CMD2[@]}" >&/dev/null
 echo -n $?
 
-# Test run 5: Certificates are mounted and the environment variable is set, but the entrypoint is overridden. We expect
+# Test run 5: Certificates are mounted and are symlinks (e.g. in Kubernetes as `Secret`s or `ConfigMap`s) and the
+# environment variable is set. We expect both CMD1 and CMD2 to succeed.
+docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs_symlink:/certificates "$1" $CMD1 >&/dev/null
+echo -n $?
+docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs_symlink:/certificates "$1" "${CMD2[@]}" >&/dev/null
+echo -n $?
+
+# Test run 6: Certificates are mounted and the environment variable is set, but the entrypoint is overridden. We expect
 # CMD1 to succeed and CMD2 to fail.
 docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$TESTIMAGE" $CMD1 >&/dev/null
 echo -n $?
@@ -98,7 +105,14 @@ echo -n $?
 docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$1" "${CMD2[@]}" >&/dev/null
 echo -n $?
 
-# Test run 5: Certificates are mounted and the environment variable is set, but the entrypoint is overridden. We expect
+# Test run 5: Certificates are mounted and are symlinks (e.g. in Kubernetes as `Secret`s or `ConfigMap`s) and the
+# environment variable is set. We expect both CMD1 and CMD2 to succeed.
+docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs_symlink:/certificates "$1" $CMD1 >&/dev/null
+echo -n $?
+docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs_symlink:/certificates "$1" "${CMD2[@]}" >&/dev/null
+echo -n $?
+
+# Test run 6: Certificates are mounted and the environment variable is set, but the entrypoint is overridden. We expect
 # CMD1 to succeed and CMD2 to fail.
 #
 docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$TESTIMAGE" $CMD1 >&/dev/null

11/jdk/alpine/entrypoint.sh

@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

11/jdk/centos/entrypoint.sh

@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

11/jdk/ubi/ubi9-minimal/entrypoint.sh

@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

11/jdk/ubuntu/focal/entrypoint.sh

@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

11/jdk/ubuntu/jammy/entrypoint.sh

@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

11/jre/alpine/entrypoint.sh

@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

11/jre/centos/entrypoint.sh

@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

11/jre/ubi/ubi9-minimal/entrypoint.sh

@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

11/jre/ubuntu/focal/entrypoint.sh

@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

11/jre/ubuntu/jammy/entrypoint.sh

@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

17/jdk/alpine/entrypoint.sh

@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

17/jdk/centos/entrypoint.sh

@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

17/jdk/ubi/ubi9-minimal/entrypoint.sh

@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

17/jdk/ubuntu/focal/entrypoint.sh

@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

17/jdk/ubuntu/jammy/entrypoint.sh

@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

17/jre/alpine/entrypoint.sh

@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

17/jre/centos/entrypoint.sh

@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

17/jre/ubi/ubi9-minimal/entrypoint.sh

@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

17/jre/ubuntu/focal/entrypoint.sh

@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

17/jre/ubuntu/jammy/entrypoint.sh

@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi