remove ssl-cert "snakeoil" private keys from images, since this makes them not very private. LP: #2037869.

debian/changelog

@@ -1,10 +1,15 @@
 livecd-rootfs (23.10.52) UNRELEASED; urgency=medium
 
+  [ Philip Roche ]
   * fix: Sort filelists creating when building ubuntu-cpc images (LP: #2033677)
   * fix: Create .filelist in ubuntu-cpc project binary hooks that do not use create_manifest shared function (LP: #2033751)
     * fix: Ensure any created .filelist is symlinked with expected prefix and correct permissions
     * fix: disk-image-non-cloud ubuntu-cpc build target now provides manifest and filelist
 
+  [ Steve Langasek ]
+  * remove ssl-cert "snakeoil" private keys from images, since this makes
+    them not very private.  LP: #2037869.
+
  -- Philip Roche <phil.roche@ubuntu.com>  Thu, 31 Aug 2023 18:20:23 +0100
 
 livecd-rootfs (23.10.51) mantic; urgency=medium

live-build/auto/config

@@ -1300,6 +1300,18 @@ if [ "${IMAGE_HAS_HARDCODED_PASSWORD:-}" = "1" ]; then
 	fi
 fi
 
+# apply this hook unconditionally to remove files from the chroot that
+# are supposed to be install-specific secrets and therefore must never
+# be shipped in any image.
+# this hook should be extended if we discover any more files that are
+# supposed to be private but aren't.
+cat > config/hooks/100-too-many-secrets.chroot <<EOF
+#!/bin/sh
+
+rm -fv /etc/ssl/private/ssl-cert-snakeoil.key \
+	/etc/ssl/certs/ssl-cert-snakeoil.pem
+EOF
+
 case $PROJECT in
   ubuntu-cpc|ubuntu-core|ubuntu-base|ubuntu-oci|ubuntu-wsl|ubuntu-mini-iso)
     # ubuntu-cpc gets this added in 025-create-groups.chroot, and we do