Can I use my existing key for my models?

I’m not quite sure where this topic should go, since both snapcraft is the user-facing key handler, but it just shells out to snapd, and then snapd uses it with snap sign… so this really applies to both snapcraft and snapd.

Say I’m making a custom image, using a custom model assertion. I’m following this tutorial (ish, I’m using the snapcraft commands to generate and list the keys). I need to sign the model definition, and thus need a key to do it. We have snapcraft as an opaque wrapper around snapd, which, judging from the contents of ~/.snap/ is an opaque wrapper around gnupg.

Is there any way I can use my own already-existing key for this? Or must I generate a new one just for signing assertions?

The short answer is no, because we use a very specific subset of PGP, with special constraints on the keys.

We do need to grow some sort of export/import / backup/restore to move keys arounds though.

I just did this, but had some pain:

I don’t recommend doing this, but it worked for me after adding an uid compatible with the snapd RE to my key.

Alright, thanks for the response. Are those constraints documented anywhere? I agree that having more key management (import/export) functionality would be nice.

Haha, you need to just use lool for everything, man.

I need to recollect the details, there’s no official doc except in code comments I think and an internal doc ATM. The issue is mostly that the view on how to identify the key from snapd POV vs PGP will differ unless the key respects the constraints very precisely. The main reason for this situation is while the signing, packet format is fine for us, we didn’t want to trust, especially going forward, the ways PGP identifies keys and matches signature packets back to keys.

Ah I tried, but “Real name” required at least 5 chars! :slight_smile: