Installing UC20 in Virtuabox triggers invalid signature after ubuntu-boot not found

your pubring.* permissions look too open, they should only be rw for the user …

Even after fixing the permissions the same error pops.

("gpg: WARNING: unsafe ownership on homedir '/home/zap2x/.snap/gnupg'\ngpg: signing failed: No such file or directory\ngpg: signing failed: No such file or directory\n")

what about the toplevel dir ?

$ ls -ld ~/.snap/
drwx------ 2 ogra ogra 4096 Sep 18  2016 /home/ogra/.snap/

drwx------ 3 zap2x zap2x 4096 feb 12 10:49 /home/zap2x/.snap/

same as yours…

Adding more info on gpg:

$  gpg --homedir /home/zap2x/.snap/gnupg --list-keys
   gpg: checking the trustdb
   gpg: marginals needed: 3  completes needed: 1  trust model: pgp
   gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
   pub   rsa4096 2016-01-01 [SCEA]
   uid           [ultimate] uc20-key

Also the key uc20-key is registered:

curl -s<keyid> | jq
  "headers": {
    "account-id": "<AccountID>",
    "authority-id": "canonical",
    "body-length": "717",
    "name": "uc20-key",
    "public-key-sha3-384": "<id>",
    "sign-key-sha3-384": "<id>",
    "since": "2021-02-12T09:56:29Z",
    "type": "account-key"
  "body": "<Large ID>"

and the key is the same you used to sign the model assertion ?

Yeah, exactly the same.

Both sign-key-sha384 in the file .model and the key passed in -k parameter, are the same…

Could this be related to the fact that make-system-user does not have the ~/.snap/gnupg/ well configured? I saw that you can pass a --home-dir <path> to the gpg binary but nothing like that when calling make-system-user

that would probably be a question for @kyleN, who maintains make-systerm-user

make-system-user should just be calling out to snap sign -k ..., which is what is using ~/.snap/gnupg/.

Can you show the produced system user assertion?

1 Like

Hello, this is the produced system assertion. I still dont get why can not be signed…

edit: there is a little typo on the pastebin command, but in reality there is a space between mypass and -k param.

The produced assertion you linked to does not actually contain the system-user assertion, it just includes the account and account-key assertions, so this explains why it is not used at all. We will need to figure out why it’s not signing that part, but also make-system-user should be updated to not produce anything in this scenario, it seems to be ignoring errors unfortunately

1 Like

I’ll take a look calling out to snap sign in shell instead.

Hey guys, new things around here. I was able to create a system user assertion (apparently using sudo one time breaks things, now my user-assertion is technically signed). Unfortunately, while using a virtual machine i am not able to create the user in the system even tho I have the auto-import.assert on the root of an usb attached. Also I dont recieve any feedback of the system finding an assert file…

Do you have any clue of what might be happening? AFAIK the uc20 should be able to create a new user at any time, isn’t it?

Nvm, got that last issue solved. I missunderstood something from the documentation.

When executing
$ sudo make-system-user --brand bJzr2XzZg6Qv6Z53dsjhg20975Skjs \ --model mymodel --key my-key-name --username <new-user-name> \ --email <new-user-email-address> --password <new-user-password>

I wrote: --model pcimage.model instead of the model name inside the file.

A dumb mistake, but i am sure it happened to someone else too.