Package Contents :: Xenial ========================== No regressions in ca-certificate DEB file after the changes to build the UDEB file.
The only difference is due to the changes in changelog file and package version. dpkg-deb -c (content listing) ----------- $ dpkg-deb -c ca-certificates_20170717~16.04.2_all.deb | sed 's/[0-9][0-9]:[0-9][0-9]/HH:MM/' > dpkg-deb_-c.new $ dpkg-deb -c ca-certificates_20170717~16.04.1_all.deb | sed 's/[0-9][0-9]:[0-9][0-9]/HH:MM/' > dpkg-deb_-c.old $ diff dpkg-deb_-c.{old,new} 14c14 < -rw-r--r-- root/root 12885 2017-09-27 HH:MM ./usr/share/doc/ca-certificates/changelog.gz --- > -rw-r--r-- root/root 12948 2018-12-06 HH:MM > ./usr/share/doc/ca-certificates/changelog.gz dpkg-deb -x (content files) ----------- $ dpkg-deb -x ca-certificates_20170717~16.04.1_all.deb dpkg-deb_-x.old $ dpkg-deb -x ca-certificates_20170717~16.04.2_all.deb dpkg-deb_-x.new $ diff -r dpkg-deb_-x.{old,new} Binary files dpkg-deb_-x.old/usr/share/doc/ca-certificates/changelog.gz and dpkg-deb_-x.new/usr/share/doc/ca-certificates/changelog.gz differ dpkg-deb -e (control files) ----------- $ dpkg-deb -e ca-certificates_20170717~16.04.2_all.deb dpkg-deb_-e.new $ dpkg-deb -e ca-certificates_20170717~16.04.1_all.deb dpkg-deb_-e.old $ diff -r dpkg-deb_-e.{old,new} diff -r dpkg-deb_-e.old/control dpkg-deb_-e.new/control 2c2 < Version: 20170717~16.04.1 --- > Version: 20170717~16.04.2 diff -r dpkg-deb_-e.old/md5sums dpkg-deb_-e.new/md5sums 151c151 < fc0ff87421a0735d09e88bdf444dc760 usr/share/doc/ca-certificates/changelog.gz --- > 5596056c49179e32312e93f4c7296987 usr/share/doc/ca-certificates/changelog.gz -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1807023 Title: installer stock images fail to validate any HTTPS certificates (ca- certificates missing) Status in debian-installer: Unknown Status in ca-certificates package in Ubuntu: In Progress Status in debian-installer package in Ubuntu: In Progress Status in ca-certificates source package in Trusty: New Status in debian-installer source package in Trusty: New Status in ca-certificates source package in Xenial: New Status in debian-installer source package in Xenial: New Status in ca-certificates source package in Bionic: In Progress Status in debian-installer source package in Bionic: In Progress Status in ca-certificates source package in Cosmic: In Progress Status in debian-installer source package in Cosmic: In Progress Status in ca-certificates source package in Disco: In Progress Status in debian-installer source package in Disco: In Progress Status in debian-installer package in Debian: Fix Released Bug description: [Impact] * The installer stock images fail to validate any HTTPS certificates because ca-certificates is not available in the installer environment. * This causes wget/download errors for preseed files on HTTPS servers (or HTTP servers that redirect to HTTPS, which are increasingly common nowadays - e.g., GitHub) and theoretically any other files that are downloaded with d-i-utils/fetch-url/wget. * The fix is to ship ca-certificates-udeb in installer stock images. * Debian already ships ca-certificate-udeb in the stock installer images; the fix is applied since Jan 2017. (reference: Debian Bug #842040 / d-i commit 2f00c51a [1]) [Test Case] * In the installer shell: ~ # wget http://github.com # or https://github.com - FAIL if ca-certificates-udeb is missing: "ERROR: cannot verify github.com's certificate, <...>' - PASS if ca-certificates-udeb is available "Saving to: 'index.html'" * Test steps with virt-install and netboot images are provided in the comments, for each release. [Regression Potential] * Low. This just adds the ca-certificates files in /etc/ssl/certs and symlink in /usr/lib/ssl/certs, so only tools looking for that would be affected. * Apparently only wget checks for/uses those files, and the difference in behavior is download errors no longer occur. [Notes] * The ca-certificates-udeb is not currently present in the Ubuntu 'main' component, but in 'universe', despite the normal deb being in 'main'. However, when rebuilding in a PPA it goes into 'main' accordingly, and can be used by default by debian-installer (otherwise, UDEB_COMPONENTS has to be modified to include universe/d-i). * So this fix includes a no-change-rebuild for the ca-certificates package, in order to publish the udeb in the archive (at least in PPA for testing). Hopefully that can be sorted out for this fix to work out. * The ca-certificates and debian-installer builds have been done in a PPA using all architectures, and testing has been done with the amd64 images. * This fix is requested for Bionic, Cosmic, Disco at least. * The fix for Trusty and Xenial needed a little bit more work to build/ship the (new) udeb. (reference: Debian Bug #845456 / ca-certificates commit 3acb3a90 [2]) It would be good to have them too if at all possible. [1] https://salsa.debian.org/installer-team/debian-installer/commit/2f00c51a7ead982ae1cd71bee06c8416890196b6 [2] https://salsa.debian.org/debian/ca-certificates/commit/3acb3a9042a00307ba35d10052d81cdc206c34a4 [Debugging] For debugging purposes, one can install strace-udeb in the installer to verify wget's stat() calls to /usr/lib/ssl/certs. ~ # anna-install strace-udeb ~ # strace -e stat wget -O- https://github.com >/dev/null ... Resolving github.com... stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=20, ...}) = 0 140.82.118.3, 140.82.118.4 Connecting to github.com|140.82.118.3|:443... connected. stat("/usr/lib/ssl/certs/45bfefc3.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory) stat("/usr/lib/ssl/certs/244b5494.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory) stat("/usr/lib/ssl/certs/244b5494.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory) ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US': Unable to locally verify the issuer's authority. To connect to github.com insecurely, use `--no-check-certificate'. +++ exited with 5 +++ ~ # ~ # anna-install ca-certificates-udeb # not in archive yet. unknown udeb ca-certificates-udeb ~ # wget --no-check-certificate https://launchpad.net/ubuntu/+archive/primary/+files/ca-certificates- udeb_20180409_all.udeb ~ # udpkg -i ca-certificates-udeb_20180409_all.udeb ~ # strace -e stat wget -O- https://github.com >/dev/null ... Resolving github.com... stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=20, ...}) = 0 140.82.118.3, 140.82.118.4 Connecting to github.com|140.82.118.3|:443... connected. stat("/usr/lib/ssl/certs/45bfefc3.0", 0x7fffbb9431c0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ssl/certs/244b5494.0", {st_mode=S_IFREG|0644, st_size=1367, ...}) = 0 stat("/usr/lib/ssl/certs/244b5494.1", 0x7fffbb9431c0) = -1 ENOENT (No such file or directory) HTTP request sent, awaiting response... 200 OK stat("-", 0x7fffbb943558) = -1 ENOENT (No such file or directory) Length: unspecified [text/html] Saving to: 'STDOUT' ... +++ exited with 0 +++ To manage notifications about this bug go to: https://bugs.launchpad.net/debian-installer/+bug/1807023/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp