We are using snap signature keys to create/sign ubuntu-core images and private snaps.
I see various topics on exporting these keys to a private Key Vault using gpg, but have not seen any snap specific commands to do so.
What is the most effective way to export/import registered snap keys?
I am generating them using the following:
$ snap create-key myKey
$ snapcraft register-key
Has anyone had luck with this?
Checking in again on this.
By default it would be like this:
gpg --homedir /home/user/.snap/gnupg/ --export -a my-test-key
Where my-test-key
is the name of a key I created previously with snap create-key
and user
is the name of the user currently executing the command.
The snap command there is more or less just setting a different gpg homedir to use for the keys.
As long as there is no value set in the environment for SNAP_GNUPG_HOME then it will determine the home of the user and use that path.
To follow-up with two notes:
- if you never named a key then a “default” will exist
- use
--export-secret-keys
to get the private key
1 Like
Hi,
How do you import this key into ~/snap/gnupg folder without erasing the already existing ones?
* No warranty provided, make back-ups and/or take necessary precautions not to lose keys *
You should just be able to import it with --import
. It would only overwrite if an existing key with that ID exists and even then it may warn you. I’m not certain as I have not done this recently and don’t recall exactly.
When i did this, it copied the signature into ~/gnupg install of snap/sgnupg
Sorry, the implication was that you would use similar syntax as the export when importing, try adding:
--homedir /home/user/.snap/gnupg/
thanks i will give it a try
Confirming that this works.
Summary:
Export private key: gpg --homedir /.snap/gnupg/ --export-secret-keys -a
This will ask for passcode used to create key. Key is dumped.
At destination machine, create privkey.txt with above contents
gpg --homedir /.snap/gnupg/ --import ./privkey.txt
This will ask for passcode. Key in same passcode.
snapcraft keys - Output now should contain the imported key