More information about serial vault settings


I was wondering if there was more information about the serial-vault, I’ve read How to configure serial vault and I’ve managed to add my Signing Key and Model but I still have a few questions on what the following are;

Account assertion
Account key assertion
System-User assertion key

Thanks in advance

That section of the serial-vault is related to System-User Assertions.
When you do a fresh install of snappy on a device, it does not give you a user that you can login to the device as. The idea behind the System-User Assertion is that it allows for a system-user to be created on a device that is unmanaged i.e. hasn’t had a system-user created.

The Serial-Vault provides a form that allows a system-user assertion to be created for the device and provides a convenient file download so you can copy the file to a USB stick. Then, reboot the device with the USB stick and it will generate the user for you.

To create a valid system-user assertion for a device, a number of things are needed:

  • Username and password of the user to be created
  • Account assertion
  • Account key assertion
  • A signing key that has been registered with the store

The account assertion and account key assertion are documented on the main site, so I won’t repeat the info here. The Serial-Vault caches those assertions in the database and there is a command-line utility with the serial-vault that allows you to download them from the store (account-assertions command). However, we are refactoring the various commands into a singe serial-vault-admin command. The idea is that you can run the “serial-vault-admin account cache” as a cron and that will keep your various accounts and account-key assertions up-to-date within the database cache.

The signing key must be a passwordless signing key that has been registered with the store - similar to the “serial” key that is mentioned in the post your referred to. You can use the same key for multiple things, but it is probably better practice to have one key per function.

Hey James

Thanks for getting back to me.

I’ve managed to get the account assertion linked for my snapcraft login, but I can’t seem to get an account-key for my account? I’m getting the canonical store one, which I’m guessing is normal.

As far as creating a system-user with a USB stick, is there any way to debug this? I’m just getting booted in the config screen. And is there a way to debug the signing of the device as well?

Kind regards


There is a command-line function to update the account-key assertion. If you are on version 1.5 of the serial-vault you’ll need to run:

For 1.6 (which is still in development), we’ve moved everything to a serial-vault-admin command-line:
serial-vault-admin account cache

There isn’t any way that I’ve found of debugging the creation of the system-user. It’s a catch-22: you need a system-user to login to see why the system-user wasn’t created. If the system-user assertion was valid, it is quite likely a issue with the system time. There is a bug about this. If you set the valid-from date/time of the system-user assertion to the image creation time, it should be okay.

The alternative is to make sure that the network is configured on the device, if that’s possible, as then it should be able to set the system time correctly from a network server. Naturally, on some devices, that will not be possible.