installer stock images fail to validate any HTTPS certificates (ca-certificates missing)

Testing steps common to all releases:
====================================

$ wget <netboot linux/initrd.img>

$ virt-install \
  --name RELEASE \
  --vcpus 2 \
  --memory 512 \
  --disk size=4,bus=virtio,format=qcow2 \
  --network user,model=virtio \
  --graphics none \
  --import \
  --boot kernel=linux,initrd=initrd.gz,kernel_args='console=ttyS0 ipv6.disable=1 auto=true hostname=ubuntu'

Wait for network configuration steps to occur, then:
In dialog 'Download debconf preconfiguration file' select 'Continue'.
In dialog 'Select a language' select 'Go Back'.
In menu select 'Execute a shell', then select 'Continue'.

~ # cat /etc/default-release # for reference
~ # ls -d /usr/lib/ssl/certs/ # check if available

~ # wget http://github.com # check error/success

Then ctrl+] to exit virsh console, and destroy/wipe guest.
$ virsh destroy RELEASE
$ virsh undefine --remove-all-storage RELEASE

Testing :: Disco
================

original
--------

wget http://archive.ubuntu.com/ubuntu/dists/disco/main/installer-amd64/20101020ubuntu559/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

~ # cat /etc/default-release
disco

~ # ls -d /usr/lib/ssl/certs/
ls: /usr/lib/ssl/certs/: No such file or directory

~ # wget http://github.com
<...>
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
<...>
ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US':
  Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.

Then ctrl+] to exit console, and
$ virsh destroy disco; virsh undefine --remove-all-storage disco

modified
--------

wget http://ppa.launchpad.net/mfo/sf205192/ubuntu/dists/disco/main/installer-amd64/20101020ubuntu560/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

~ # cat /etc/default-release
disco

~ # ls -d /usr/lib/ssl/certs/
/usr/lib/ssl/certs/

~ # wget http://github.com
<...>
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
<...>
Saving to: 'index.html'

Testing :: Cosmic
=================

original
--------

wget http://archive.ubuntu.com/ubuntu/dists/cosmic/main/installer-amd64/20101020ubuntu557/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

~ # cat /etc/default-release
cosmic

~ # ls -d /usr/lib/ssl/certs/
ls: /usr/lib/ssl/certs/: No such file or directory

~ # wget http://github.com
<...>
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
<...>
ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US':
  Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.

modified
--------

wget http://ppa.launchpad.net/mfo/sf205192/ubuntu/dists/cosmic/main/installer-amd64/20101020ubuntu557.1/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

~ # cat /etc/default-release
cosmic

~ # ls -d /usr/lib/ssl/certs/
/usr/lib/ssl/certs/

~ # wget http://github.com
<...>
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
<...>
Saving to: 'index.html'

Testing :: Bionic
=================

original
--------

wget http://archive.ubuntu.com/ubuntu/dists/bionic-proposed/main/installer-amd64/20101020ubuntu543.3/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

~ # cat /etc/default-release
bionic

~ # ls -d /usr/lib/ssl/certs/
ls: /usr/lib/ssl/certs/: No such file or directory

~ # wget http://github.com
<...>
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
<...>
ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US':
  Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.

modified
--------

wget http://ppa.launchpad.net/mfo/sf205192/ubuntu/dists/bionic/main/installer-amd64/20101020ubuntu543.4/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

~ # cat /etc/default-release
bionic

~ # ls -d /usr/lib/ssl/certs/
/usr/lib/ssl/certs/

~ # wget http://github.com
<...>
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
--2018-12-05 21:54:39-- https://github.com/
<...>
Saving to: 'index.html'

The debdiffs for ca-certificates and debian-installer for Disco/Cosmic/Bionic were uploaded.

The attachment "ca-certificates_disco.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

fix LP: #NNNNN tag in commit description

upload correct fixed debdiff :)

rename disco debdiff to add pkg name since this bug has 2 pkgs

attached debdiffs for ca-certificates and debian-installer for b/c/d with LP: #NNN tag corrected to use this bug number.

d-i for disco uploaded but it now FTBFS because it cannot locate ca-certificate-udeb.

For some reasons, I didn't notice before hand but ca-certificates (deb)[1] is found in "main" but ca-certificates (udeb)[2] in 'Universe' and I suspect the build failure is due to the fact that the builder doesn't look in 'universe' for it, as it needs to be in 'main'

@archive-admin
Since ca-certificate is already in 'main' can we promote its udeb into 'main' as well ?
Without the need of a MIR ?

Note: We tried to rebuild ca-certificates w/ no change and see if the new udeb would be in 'main' but it remained in 'universe' so this will definitely require an archive admin manipulation.

I already pinged them on #ubuntu-release (Freenode)

[1] - http://archive.ubuntu.com/ubuntu/pool/main/c/ca-certificates/
[2] - http://archive.ubuntu.com/ubuntu/pool/universe/c/ca-certificates/

- Eric

Testing :: Xenial
=================

original
--------

wget http://archive.ubuntu.com/ubuntu/dists/xenial-updates/main/installer-amd64/20101020ubuntu451.26/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

~ # cat /etc/default-release
xenial

~ # ls -d /usr/lib/ssl/certs
ls: /usr/lib/ssl/certs: No such file or directory

~ # wget http://github.com
...
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
...
ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US':
  Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.
~ #

modified
--------

wget http://ppa.launchpad.net/mfo/sf205192/ubuntu/dists/xenial/main/installer-amd64/20101020ubuntu451.27/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

~ # cat /etc/default-release
xenial

~ # ls -d /usr/lib/ssl/certs
/usr/lib/ssl/certs

~ # wget http://github.com
...
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
...
Saving to: 'index.html'

Testing :: Trusty
=================

original
--------

wget http://archive.ubuntu.com/ubuntu/dists/trusty-updates/main/installer-amd64/20101020ubuntu318.44/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

<trusty needs to proceed manually/press enter a few times in the installer>

~ # cat /etc/default-release
trusty

~ # ls -d /usr/lib/ssl/certs
ls: /usr/lib/ssl/certs: No such file or directory

~ # wget http://github.com
...
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
...
ERROR: cannot verify github.com's certificate, issued by '/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA':
  Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.

modified
--------

wget http://ppa.launchpad.net/mfo/sf205192/ubuntu/dists/trusty/main/installer-amd64/20101020ubuntu318.45/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

~ # cat /etc/default-release
trusty

~ # ls -d /usr/lib/ssl/certs
/usr/lib/ssl/certs

~ # wget http://github.com
...
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
...
Saving to: 'index.html'

The ca-certificates fix for Xenial and Trusty
include the changes to build the (new) udeb.

The normal deb package has been verified for
regressions (next comments) and it is correct,
with no functional changes whatsoever.

Package Contents :: Xenial
==========================

No regressions in ca-certificate DEB file
after the changes to build the UDEB file.

The only difference is due to the changes
in changelog file and package version.

dpkg-deb -c (content listing)
-----------

$ dpkg-deb -c ca-certificates_20170717~16.04.2_all.deb | sed 's/[0-9][0-9]:[0-9][0-9]/HH:MM/' > dpkg-deb_-c.new
$ dpkg-deb -c ca-certificates_20170717~16.04.1_all.deb | sed 's/[0-9][0-9]:[0-9][0-9]/HH:MM/' > dpkg-deb_-c.old

$ diff dpkg-deb_-c.{old,new}
14c14
< -rw-r--r-- root/root 12885 2017-09-27 HH:MM ./usr/share/doc/ca-certificates/changelog.gz
---
> -rw-r--r-- root/root 12948 2018-12-06 HH:MM ./usr/share/doc/ca-certificates/changelog.gz

dpkg-deb -x (content files)
-----------

$ dpkg-deb -x ca-certificates_20170717~16.04.1_all.deb dpkg-deb_-x.old
$ dpkg-deb -x ca-certificates_20170717~16.04.2_all.deb dpkg-deb_-x.new

$ diff -r dpkg-deb_-x.{old,new}
Binary files dpkg-deb_-x.old/usr/share/doc/ca-certificates/changelog.gz and dpkg-deb_-x.new/usr/share/doc/ca-certificates/changelog.gz differ

dpkg-deb -e (control files)
-----------

$ dpkg-deb -e ca-certificates_20170717~16.04.2_all.deb dpkg-deb_-e.new
$ dpkg-deb -e ca-certificates_20170717~16.04.1_all.deb dpkg-deb_-e.old

$ diff -r dpkg-deb_-e.{old,new}
diff -r dpkg-deb_-e.old/control dpkg-deb_-e.new/control
2c2
< Version: 20170717~16.04.1
---
> Version: 20170717~16.04.2
diff -r dpkg-deb_-e.old/md5sums dpkg-deb_-e.new/md5sums
151c151
< fc0ff87421a0735d09e88bdf444dc760 usr/share/doc/ca-certificates/changelog.gz
---
> 5596056c49179e32312e93f4c7296987 usr/share/doc/ca-certificates/changelog.gz

Package Contents :: Trusty
==========================

No regressions in ca-certificate DEB file
after the changes to build the UDEB file.

The only difference is due to the changes
in changelog file and package version.

dpkg-deb -c (content listing)
-----------

$ dpkg-deb -c ca-certificates_20170717~14.04.1_all.deb | sed 's/[0-9][0-9]:[0-9][0-9]/HH:MM/' > dpkg-deb_-c.old
$ dpkg-deb -c ca-certificates_20170717~14.04.2_all.deb | sed 's/[0-9][0-9]:[0-9][0-9]/HH:MM/' > dpkg-deb_-c.new

$ diff dpkg-deb_-c.{old,new}
14c14
< -rw-r--r-- root/root 11052 2018-12-06 HH:MM ./usr/share/doc/ca-certificates/changelog.gz
---
> -rw-r--r-- root/root 11108 2018-12-06 HH:MM ./usr/share/doc/ca-certificates/changelog.gz

dpkg-deb -x (content files)
-----------

$ dpkg-deb -x ca-certificates_20170717~14.04.1_all.deb dpkg-deb_-x.old
$ dpkg-deb -x ca-certificates_20170717~14.04.2_all.deb dpkg-deb_-x.new

$ diff -r dpkg-deb_-x.{old,new}
Binary files dpkg-deb_-x.old/usr/share/doc/ca-certificates/changelog.gz and dpkg-deb_-x.new/usr/share/doc/ca-certificates/changelog.gz differ

dpkg-deb -e (control files)
-----------

$ dpkg-deb -e ca-certificates_20170717~14.04.1_all.deb dpkg-deb_-e.old
$ dpkg-deb -e ca-certificates_20170717~14.04.2_all.deb dpkg-deb_-e.new

$ diff -r dpkg-deb_-e.{old,new}
diff -r dpkg-deb_-e.old/control dpkg-deb_-e.new/control
2c2
< Version: 20170717~14.04.1
---
> Version: 20170717~14.04.2
diff -r dpkg-deb_-e.old/md5sums dpkg-deb_-e.new/md5sums
151c151
< c410ab88c14eab543d0c57f08b104895 usr/share/doc/ca-certificates/changelog.gz
---
> da9525233e9c26a1b101bd9be04280d0 usr/share/doc/ca-certificates/changelog.gz

From #ubuntu-release (freenode)

With regards to the FTBFS situation with ca-certificates-udeb:

<infinity> slashd: Promoted. I'll retry the builds when the publisher's done moving it around.
<infinity> slashd: Just disco. For other releases, it'll require some fiddling.

I'll continue with the SRU as soon as disco is building fine and goes into -releases.

removing the sponsors team - please nobody upload this! @slashd or i will sru when ready.

Please do the necessary to make sure we don't upload ca-certificates by mistake again.

I would suggest we :
1) Remove the debdiff
2) Set the status for ca-certificates to "Won't Fix"

To avoid confusion.

The ca-certificates work need to be done by an archive admin, no rebuild needed.

Regards,
Eric

Marked ca-certificates for b/c/d as Invalid - it does not need an upload, only archive twiddling to move its component.

For t/x, ca-certificates does need the patches @mfo attached to actually generate the -udeb binary pkg.

Please nobody sponsor this bug - @slashd or I will handle the sruing.

Hello Mauricio, or anyone else affected,

Accepted debian-installer into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/debian-installer/20101020ubuntu557.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mauricio, or anyone else affected,

Accepted debian-installer into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/debian-installer/20101020ubuntu543.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

This bug was fixed in the package debian-installer - 20101020ubuntu560

---------------
debian-installer (20101020ubuntu560) disco; urgency=medium

  [ Mauricio Faria de Oliveira ]
  * build/pkg-lists/base: add ca-certificates-udeb to enable HTTPS
    without d-i/allow_unauthenticated_ssl in stock initramfs image
    as in Debian. (LP: #1807023) (closes: #842040)

 -- Dan Streetman <email address hidden> Mon, 26 Nov 2018 16:49:46 -0200

Verification :: bionic-proposed
-------------------------------

Successful.

$ wget http://archive.ubuntu.com/ubuntu/dists/bionic-proposed/main/installer-amd64/20101020ubuntu543.4/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

$ virt-install \
  --name bionic \
  --vcpus 2 \
  --memory 512 \
  --disk size=4,bus=virtio,format=qcow2 \
  --network user,model=virtio \
  --graphics none \
  --import \
  --boot kernel=linux,initrd=initrd.gz,kernel_args='console=ttyS0 ipv6.disable=1 auto=true hostname=ubuntu'

Wait until dialog.
Exit to shell.

~ # cat /etc/default-release
bionic

~ # sed -n '/^Package: debian-installer/,/^Version:/p' /var/lib/dpkg/status
Package: debian-installer
Status: install ok installed
Version: netboot-20101020ubuntu543.4

~ # ls -d /usr/lib/ssl/certs/
/usr/lib/ssl/certs/

~ # wget http://github.com
...
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
--2018-12-07 20:33:24-- https://github.com/
...
Saving to: 'index.html'
...

Verification :: cosmic-proposed
-------------------------------

Successful.

$ wget http://archive.ubuntu.com/ubuntu/dists/cosmic-proposed/main/installer-amd64/20101020ubuntu557.1/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

$ virt-install \
  --name cosmic \
  --vcpus 2 \
  --memory 512 \
  --disk size=4,bus=virtio,format=qcow2 \
  --network user,model=virtio \
  --graphics none \
  --import \
  --boot kernel=linux,initrd=initrd.gz,kernel_args='console=ttyS0 ipv6.disable=1 auto=true hostname=ubuntu'

Wait until dialog.
Exit to shell.

~ # cat /etc/default-release
cosmic

~ # sed -n '/^Package: debian-installer/,/^Version:/p' /var/lib/dpkg/status
Package: debian-installer
Status: install ok installed
Version: netboot-20101020ubuntu557.1

~ # ls -d /usr/lib/ssl/certs/
/usr/lib/ssl/certs/

~ # wget http://github.com
...
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
--2018-12-07 20:39:52-- https://github.com/
...
Saving to: 'index.html'
...

Verification :: disco-proposed
-------------------------------

Okay, not strictly required as not yet a Stable Release, but doing anyway.
Successful.

$ wget http://archive.ubuntu.com/ubuntu/dists/disco-proposed/main/installer-amd64/20101020ubuntu560/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

$ virt-install \
  --name disco \
  --vcpus 2 \
  --memory 512 \
  --disk size=4,bus=virtio,format=qcow2 \
  --network user,model=virtio \
  --graphics none \
  --import \
  --boot kernel=linux,initrd=initrd.gz,kernel_args='console=ttyS0 ipv6.disable=1 auto=true hostname=ubuntu'

Wait until dialog.
Exit to shell.

~ # cat /etc/default-release
disco

~ # sed -n '/^Package: debian-installer/,/^Version:/p' /var/lib/dpkg/status
Package: debian-installer
Status: install ok installed
Version: netboot-20101020ubuntu560

~ # ls -d /usr/lib/ssl/certs/
/usr/lib/ssl/certs/

~ # wget http://github.com
...
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
--2018-12-07 20:42:20-- https://github.com/
...
Saving to: 'index.html'

Hello Mauricio, or anyone else affected,

Accepted debian-installer into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/debian-installer/20101020ubuntu451.27 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mauricio, or anyone else affected,

Accepted debian-installer into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/debian-installer/20101020ubuntu318.45 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mauricio, or anyone else affected,

Accepted ca-certificates into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ca-certificates/20170717~16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mauricio, or anyone else affected,

Accepted ca-certificates into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ca-certificates/20170717~14.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

The verification of the Stable Release Update for debian-installer has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package debian-installer - 20101020ubuntu543.4

---------------
debian-installer (20101020ubuntu543.4) bionic; urgency=medium

  * build/pkg-lists/base: add ca-certificates-udeb to enable HTTPS
    without d-i/allow_unauthenticated_ssl in stock initramfs image
    as in Debian. (LP: #1807023)

 -- Mauricio Faria de Oliveira <email address hidden> Mon, 26 Nov 2018 16:49:46 -0200

This bug was fixed in the package debian-installer - 20101020ubuntu557.1

---------------
debian-installer (20101020ubuntu557.1) cosmic; urgency=medium

  * build/pkg-lists/base: add ca-certificates-udeb to enable HTTPS
    without d-i/allow_unauthenticated_ssl in stock initramfs image
    as in Debian. (LP: #1807023)

 -- Mauricio Faria de Oliveira <email address hidden> Mon, 26 Nov 2018 16:49:46 -0200

autopkgtest failure notes:

glib-networking fails for trusty, but it failed exactly the same way in the last auotpkgtest run, which was from 2017. Appears to be broken test case and should be ignored for this sru.

snapd fails for xenial, but it's failed for the last 2+ months. The tests for it are clearly broken and should be ignored for this sru.

trusty verification:

reproduce bug:
1) get the debian-installer source version 20101020ubuntu318.44 and extract
2) in the source cd build/
3) make build_netboot
4) cd dest/netboot/ubuntu-installer/amd64
5) run steps from comment 1
6) verify wget from github.com fails due to https certificate:

~ # wget http://github.com
--2018-12-19 20:04:55-- http://github.com/
Resolving github.com... 192.30.253.113, 192.30.253.112
Connecting to github.com|192.30.253.113|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
--2018-12-19 20:04:55-- https://github.com/
Connecting to github.com|192.30.253.113|:443... connected.
ERROR: cannot verify github.com's certificate, issued by '/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA':
  Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.

verify fix is same steps except with debian-installer version 20101020ubuntu318.45

step #6 passes:

~ # wget github.com
--2018-12-19 20:09:44-- http://github.com/
Resolving github.com... 192.30.253.112, 192.30.253.113
Connecting to github.com|192.30.253.112|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
--2018-12-19 20:09:44-- https://github.com/
Connecting to github.com|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html'

    [ <=> ] 80,096 --.-K/s in 0.04s

2018-12-19 20:09:44 (1.77 MB/s) - 'index.html' saved [80096]

xenial:

same steps as last comment.

reproduction using d-i version 20101020ubuntu451.26

~ # wget http://github.com/
--2018-12-19 20:15:36-- http://github.com/
Resolving github.com... 192.30.253.113, 192.30.253.112
Connecting to github.com|192.30.253.113|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
--2018-12-19 20:15:36-- https://github.com/
Connecting to github.com|192.30.253.113|:443... connected.
ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US':
  Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.

verification of fix using d-i version 20101020ubuntu451.27

~ # wget http://github.com/
--2018-12-19 20:18:37-- http://github.com/
Resolving github.com... 192.30.253.113, 192.30.253.112
Connecting to github.com|192.30.253.113|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
--2018-12-19 20:18:37-- https://github.com/
Connecting to github.com|192.30.253.113|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html'

index.html [ <=> ] 78.22K --.-KB/s in 0.04s

2018-12-19 20:18:37 (1.82 MB/s) - 'index.html' saved [80096]

This bug was fixed in the package ca-certificates - 20170717~16.04.2

---------------
ca-certificates (20170717~16.04.2) xenial; urgency=medium

  * Add ca-certificates udeb package (LP: #1807023)

 -- Mauricio Faria de Oliveira <email address hidden> Thu, 06 Dec 2018 16:20:55 -0200

This bug was fixed in the package debian-installer - 20101020ubuntu451.27

---------------
debian-installer (20101020ubuntu451.27) xenial; urgency=medium

  * build/pkg-lists/base: add ca-certificates-udeb to enable HTTPS
    without d-i/allow_unauthenticated_ssl in stock initramfs image
    as in Debian. (LP: #1807023)

 -- Mauricio Faria de Oliveira <email address hidden> Mon, 26 Nov 2018 16:49:46 -0200

This bug was fixed in the package ca-certificates - 20170717~14.04.2

---------------
ca-certificates (20170717~14.04.2) trusty; urgency=medium

  * Add ca-certificates udeb package (LP: #1807023)

 -- Mauricio Faria de Oliveira <email address hidden> Thu, 06 Dec 2018 16:20:55 -0200

This bug was fixed in the package debian-installer - 20101020ubuntu318.45

---------------
debian-installer (20101020ubuntu318.45) trusty; urgency=medium

  * build/pkg-lists/base: add ca-certificates-udeb to enable HTTPS
    without d-i/allow_unauthenticated_ssl in stock initramfs image
    as in Debian. (LP: #1807023)

 -- Mauricio Faria de Oliveira <email address hidden> Mon, 26 Nov 2018 16:49:46 -0200