I was automating a way to sign assertions.
One of my approaches was to use snapd directly to create the key (instead of its wrapper in snapcraft.)
So first I create the key, and then sign the assertion using it. (In this case the key is not being registered in the store).
Question here: Is it possible to use a key to sign an assertion even if that key is not registered in the store?
Right now I am able to use the keys without registering them on the store, but I wonder if it is because the feature is not ready yet in snapd or it is a bug or some other reason.
Thanks in advance for your clarifications on this.
“snap sign” etc are a low-level tools (that’s why is not listed in “snap help”).
Registering a key with the store creates an assertion with account-key type, which is basically the store countersigning the public part of the key.
Without presenting the account-key to snapd before or together with assertions signed with the key snapd will not accept those assertions (as the trust chain works ATM).
Thanks @pedronis ! It is more clear now. Summarizing the steps, the script should do:
1- Create the key with snapd
2- Export the key with snapd (save the account-key-request)
3- Do a POST to account/account-key API with the request generated in step 2
After that, if I do a “snap known account-key”, Should I see a new account-key assertion? Because right now I see no changes before and after registering the key.
Am I missing any step/s?
no at the moment it doesn’t get added automatically, but it will then exist in the store assertion service though, one way to see/get it is:
snap known --remote account-key public-key-sha3-384=KEY-SHA3-384
where KEY-SHA3-384 is the id shown by snap keys for example
1 Like
Thanks @pedronis, that worked!
