Export/Import snap signature keys

We are using snap signature keys to create/sign ubuntu-core images and private snaps.

I see various topics on exporting these keys to a private Key Vault using gpg, but have not seen any snap specific commands to do so.

What is the most effective way to export/import registered snap keys?

I am generating them using the following:

$ snap create-key myKey
$ snapcraft register-key

Has anyone had luck with this?

Checking in again on this.

By default it would be like this:

gpg  --homedir /home/user/.snap/gnupg/ --export -a my-test-key

Where my-test-key is the name of a key I created previously with snap create-key and user is the name of the user currently executing the command.

The snap command there is more or less just setting a different gpg homedir to use for the keys.

As long as there is no value set in the environment for SNAP_GNUPG_HOME then it will determine the home of the user and use that path.

To follow-up with two notes:

  • if you never named a key then a “default” will exist
  • use --export-secret-keys to get the private key
1 Like

Hi, How do you import this key into ~/snap/gnupg folder without erasing the already existing ones?

* No warranty provided, make back-ups and/or take necessary precautions not to lose keys *

You should just be able to import it with --import. It would only overwrite if an existing key with that ID exists and even then it may warn you. I’m not certain as I have not done this recently and don’t recall exactly.

When i did this, it copied the signature into ~/gnupg install of snap/sgnupg

Sorry, the implication was that you would use similar syntax as the export when importing, try adding:

--homedir /home/user/.snap/gnupg/

thanks i will give it a try

Confirming that this works. Summary: Export private key: gpg --homedir /.snap/gnupg/ --export-secret-keys -a This will ask for passcode used to create key. Key is dumped.

At destination machine, create privkey.txt with above contents gpg --homedir /.snap/gnupg/ --import ./privkey.txt This will ask for passcode. Key in same passcode.

snapcraft keys - Output now should contain the imported key