We leverage Zscaler Internet Access with TLS inspection as part of our base desktop images. Because of this, all requests to external sites receive an intermediate certificate anchored in a Zscaler root and is causing the MCP server calls out to the registry to fail:

tls: failed to verify certificate: x509: certificate signed by unknown authority

We either need the image to include known trusted intermediates (like the different Zscaler intermediates) or a way to pass in our own .pem file to the container to be added at container initialization.