I see two situations where we would want automatic provisioning of serial/system-user assertion:
Massive upgrade of deployed devices that did not have initially Ubuntu Core
For the first one afaik the way to go is the Serial Vault, although I do not know if any human intervention is needed there (it would be great if someone can clarify in more detail how the Serial Vault works).
But, how about the second case? If we have remote devices and we need to create users for each of them, how can we do that without a human going there with a USB stick? There are always tricks we can play, but it would be good if we have a general approach to this problems.
We talked about the serial-vault doing this in the past. Currently it just sends the serial-user assertion but it could send a stream of assertions including a system-user assertion. AFAIK this also requires changes on the snapd side to accept multiple assertions instead of a single one.
Actually, the serial vault can now sign a system-user assertion as well as sign a serial assertion. The serial assertion signing is fairly automated - you manually upload a signing key and define model. Then, when the device boots, snapd will send the serial-request assertion to the serial vault and it will get a signed serial assertion.
The system-user assertion part is a new facility and is available as a UI. You just fill in the details of the user in a web form and it will generate a downloadable system-user assertion.
The serial-vault is just a single Go web application that can be run in one of three modes: admin UI, signing serials, or system-user.