Serve UDFs under a dedicated virtualhost with a TLS certificate signed by our own CA
we could setup a special URL just for the upgrader, serve it using a CA we control, and pin that CA instead.
This would avoid problems like #18127.
I find this idea interesting and I think it could work: the only real-world-relevant client that needs to access the relevant files is our Upgrader.
I understand this implies serving the relevant files (UDFs) under a new, dedicated hostname, e.g. https://upgrade.tails.boum.org/ or similar.
To avoid complicating the release process, we could leave the UDFs in tails.git, and when we push to tails.git's master branch, on top of refreshing our website like we already do, this would also trigger copying the UDFs to that new virtualhost's static files directory.