Revert managed Core22 to unmanaged

I have successfully setup a serial vault and created a working usb with a auto-import.assert.

I have console-conf disabled.

Using the usb key I am able to change my device from unmanaged to managed and then can ssh into my Core22 system.

There are some unexpected behaviors that I consider bugs.

  1. My auto-import.assert file has an expiration date as represented by the “until” field. If I use a USB stick that is expired, I don’t create a working system-user. BUT something has happened, because if I update my auto-import.assert file on the USB stick I still can’t get in. Attempting to use an expired key has locked me out of ever being able to get into the system ever again even if I present a valid auto-import.assert file. Seems like a bug.

  2. I use a valid usb key and create a good system-user. I’m on the system.
    snap known system-user will return information about my key, and the expiration.
    After the key expires, the system-user should also expire. The system should revert back to being an unmanaged system if the authorization has expired. That is the second bug.

------------------ Feature request --------------------------------------- Once a system-user is created with a USB key, the device is locked into being managed. If I insert a USB with a valid auto-import.assert, I would like to see the current system user updated to the ssh keys represent by the current physically present valid assert presentation. So far I see no way to update to a different system-user credentials even when I present a valid assert file.


Thanks for reporting this. Can you please check if your system-user-assertions contains the user-presence keyword and "format": "2" ? Here is an example from our integration tests

It looks like the documentation for this needs an update too, I will look into this.

From my auto-import.assert file:

  1. The user-presence keyword is not present.
  2. The “format: 2” is also not present.

This may be relevant to the issue. We went through on-boarding training in late November 2022. We only used snapcraft 7.x during our training and all keys were created using 7.x. We were advised that the make-system-user does not work with snapcraft 7.x, and instead were given a bash script to create our auto-import.assert for system users. I attempted to use the on-line documentation today, but I am unable to register our keys…