However, I have only gotten it to work by actually logging in with the user that originally created the keys, like this:
export SNAPCRAFT_STORE_CREDENTIALS=$EXPORTED_CREDENTIAL_OF_ORIGINAL_KEY_CREATOR
snapcraft list-keys # This is necessary to setup the gpg properly
gpg --homedir ~/.snap/gnupg/ --import privatekey.txt
From what I understand, this should not be required. It should be possible to sign models/validation-sets/images without having to login to snapcraft.
However, when I try this I get the following error:
test@ubuntu:~$ gpg --homedir ~/.snap/gnupg/ --import privatekey.txt
gpg: keyblock resource '/home/test/.snap/gnupg/pubring.kbx': No such file or directory
gpg: no writable keyring found: Not found
gpg: key 4B6B50C7A990CE5D: failed to re-lookup public key: No public key
gpg: error reading 'privatekey.txt': No public key
gpg: import from 'privatekey.txt' failed: No public key
gpg: Total number processed: 0
gpg: secret keys read: 1
I understand from the error message that there is no keyring initialized in homedir ~/.snap/gnupg. How am I supposed to trigger such an initialization? Or am I misinterpreting the error message?
The issue here seems to be that snapcraft lazy initializes the gpg keyring.
On a new system you need to do a key-action to initialize it, and to do so you need to be logged in. Note that it doesn’t seem to matter what account you login with. In other words, if I register a key with account A, export the private key, then on a new system login with account B and import the private key, everything works as expected.
I think if snapcraft had an option to import private keys the initialization could be done properly. This import should be allowed without being logged in.
I guess filing an issue on github might be the best way forward here … though your findings sound a bit like there would be some re-design of the whole thing needed (which will likely not result in a quick fix)
