Questions on snapcraft / snap key infrastructure

I’m in the process of signing model assertions for an image and studied if signing can be automated.
Automated can mean also having keys on a CI server, having separate keys for internal development assertions and published assertions, revoking keys and using keys without passphrase (non-interactive signing). Non-interactive signing I found to work by testing - just snapcraft create-key passwordlesskey and hit enter two times. After that you can sign your model assertions in non-interactive shell (e.g. Jenkins) using snap sign -k passwordlesskey > yourimage.model


  • Where are the keys stored - what is the absolute path to keys for a $USER?
    • I want to move the keys between machines or users within the machine.
    • It’s probably documented in the code but I did not look into that yet.
  • Revoking keys - seems “revoke-key” is implemented but I could not find it from 2.33 (on my Ubuntu 16.04 with snapcraft from deb). Issue was reported on 2.27 five months ago. Is “revoke-key” available in some version and how to update to that?
  • Obviously everyone needs to be careful with their keys but what happens to already signed assertions after revoking the keys - for example one of us finds that her keys have been compromised somewhere in the past?


In ~/.snap/gnupg/; albeit that’s an implementation detail that might change over time!

Hmm pass, also fall short of finding it too; I believe it was implemented on the backend side, but I couldn’t find the implementation. It might be on the snap client side, at least this was the initial approach:

Some assertions can be revoked (like the account-key assertion example above), also assertions are valid until a certain date, so you could limit the impact by updating them regularly – like SSL certs.

- Loïc

Thanks Loïc, appreciate it. +1 for renaming the keys.

Best, -Ville