Attaching custom build ubuntu core image to private store

Hi,
Right now I am deploying my app manually by adding it to a custom build ubuntu core image and installing this image directly on a terminal. Recently, I was able to push this app to a Ubuntu store as a private snap. My goal is to be able to push new updates of it to my machines remotely using Ubuntu store. I am aware that in order to be able to see and track this private snap I have to be logged in with a proper user on every machine. I am also aware that “snap login” generates auth.json file, which has credentials. My questions are: Is it possible to copy auth.json file generated from logining and use it on custom build ubuntu core image ? Therefore, after installing image on a terminal it could track private snap (my app) from Ubuntu store and apply updates if available. Is it possible to use the same auth.json on many machines and does these credentials have an expiration date?

Hmm simply adding auth.json file to a root user dir does not work. I see with snap whoami command my user, but I cannot see my private snap in a store. I only see it when I do full snap login. Is it even possible to do it this way ?

I also found this old topic regarding using private snap with custom-build image

which states that it is only possible with a brand store. :confused: Is it still like this ?

There is also info like this, but I do not understand how and where to use this. Or even if it is possible

What is supported atm is using UBUNTU_STORE_AUTH_DATA_FILENAME to point to a JSON file with the macaroon bits ( {"macaroon": ..., "discharges": [...]} , where discharges are actually unbound), there is no official tooling to create such a file though.

Any suggestions are welcome :slight_smile:

if you have control over the image and the model assertion, you can use a system-user assertion:

1 Like

Hi, @ogra
I did like you suggested. I had to generated my model file again (lost previous private key) and created new image and deployed it. After that I attached usb key with a auto-import.assert file, it created system-user and I was able to login, However, when I log in I don’t see my private snap from a store and my snap which was added to the image during image creation is not tracking anything from a store. Did I miss something ? Should I do something else?

you need to sign everyting with the same user (the one that owns the private snap), your model assertion needs to have the correct IDs pointing to that user as well…

@ogra Hmm I set “authority-id” and brand-id to proper value from “Your account details” https://dashboard.snapcraft.io/dev/account/ in terminal-device.json file. I signed it with a key that was registered to my account with a snapcraft register-key command, I can see it in list-keys with a *. So it should be there and also with a curl asking the api.snapcraft.io. I also used this key to create auto-import.assert file. Should I sign a snap somehow too ? And what if my snap was published to a store before I registered my key ? does it change something ?

Hmm I also found that in my system-user dir I can find auth.json file and I can see this:

"id":1,"username":"test_piotr","email":"test_piotr@localhost","macaroon".....

Should this email match the one that I use in a store ?

yes, it should all match the same user …

I can setup username to short one from “Publisher account details” - "This is a shorthand version of your name, used when space on screen is limited. " but I don’t see option in make-system-user to provide email address for file generation. Or can I edit email: test_piotr@localhost part from generated auto-import.assert ? is this field used in signing it ?

it should be used … the email you use should exactly match the one you are using at login.ubuntu.com

@ogra I understand, but my question is if I can change this email in already created auto-import.assert file. I am asking, because I do not know if it this field (email) was used in a sign process of this file, or maybe this file is not signed like I think ?

i think the email address is used, yes …

@ogra Ok, I tried to change email in auto-import.assert and it doesn’t work on my deployed image. So It has to be used in signing process. Do you know how can I provide email address for make-system-user ? Help doesn’t show any option related to email:

~$ make-system-user -h
usage:  [-h] [-v] -b BRAND -m MODEL -u USERNAME [-p PASSWORD] [-f]
        [-s SSH_KEYS [SSH_KEYS ...]] -k KEY

Create a self-signed system-user assertion using a local snapcraft key that
has been registered with an Ubuntu SSO account. This account must have the
authority to sign system-user assertions, typically simply by being the Brand
Account. The model assertion can delegate such authority.

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose
  -p PASSWORD, --password PASSWORD
                        The password of the account to be created on the
                        device. This password is not saved. Either this or
                        --ssh-keys is required.
  -f, --force-password-change
                        Force the user to change the password on first use.
                        --password flag required.
  -s SSH_KEYS [SSH_KEYS ...], --ssh-keys SSH_KEYS [SSH_KEYS ...]
                        One or more public ssh keys to use for SSH using the
                        system user to be created on the device. Either this
                        or --password is required. Enclosed each key string in
                        single quotes. Use a space to delimit them. For
                        example: --ssh-keys 'key one' 'key two'.

Required arguments:
  -b BRAND, --brand BRAND
                        The account-id of the account that signed the device's
                        model-assertion.
  -m MODEL, --model MODEL
                        The model listed in the device's model-assertion.
  -u USERNAME, --username USERNAME
                        The username of the account to be created on the
                        device
  -k KEY, --key KEY     The name of the snapcraft key to use to sign the
                        system user assertion. The key must exist locally and
                        be reported by "snapcraft keys". The key must also be registred

or how to provide a system-user json file for it directly ? Or maybe I have to sign it manually somehow ?

i think you need to use the mail address as username … perhaps @kyleN has some more hints (being the author of make-system-user)

I have already tried to do this and I get a following error:

error: cannot assemble assertion system-user: "email" header must be a RFC 5322 compliant email address: mail: expected single address, got "@localhost"

erm … i’m 100% positive that login.ubuntu.com did not allow you to register an @localhost address … you need to use the mail address of your SSO account that owns the private snap indeed …

Yes, I have a proper email in my login.ubuntu.com set. I also registered my public key to this specific account with snapcraft register-key. It would be nice to understand how make-system-user generates system-user json that is signed.

Hmm I found this:
https://github.com/knitzsche/make-system-user/blob/master/make_system_user/main.py
It seems like this localhost is hardcoded in it ?

hmm I can always change this in code and build new snap of make_system_user. but is it really the only way?

This email field was always hardcoded because I was not aware of any use case where it was needed. Perhaps this is such a case! I can release a new rev of the snap onto edge and if it works for you we can release it to stable.

1 Like

It would be great, I don’t really want to build it myself :smiley:

So I guess no one used it before ? No one tried to attach/login their newly deployed ubuntu core image to store in order to see their private snaps ? Ufff, I hope it works for me :wink:

typically most people using this feature have a brand store so they dont need to use private snaps :wink: