It seems that snapd does all the key handling, but snapcraft acts as a front-end for it. snap -h shows no key-related options, but snapcraft -h does. There’s a missing piece though. Let’s say I’m creating a new model assertion in order to create a custom image with ubuntu-image. From scratch (i.e. all I have is a store account) it looks like this:
-
Create key:
$ snapcraft create-key my-key-name -
Verify the status of that key:
$ snapcraft list-keys Name SHA3-384 fingerprint * my-key-name Qjdfpj0EWAW<snip>kkiZ41H4CROy (not registered) -
Register that key:
$ snapcraft register-key
Registering key …
Done. The key “my-key-name” (QjdfpH4CROy) may be used to sign your assertions.
```
That’s all well and good, but when it comes time to create the model assertion, that looks like this:
$ cat my-model.json | snap sign -k my-key-name > my.model
You need a passphrase to unlock the secret key for
user: "my-key-name"
4096-bit RSA key, ID 0B79B865, created 2016-01-01
...
All of a sudden needing to use snap sign here when the rest of the flow didn’t use snap at all is confusing. Is this an oversight? Or is the plan for snapcraft to grow a sign subcommand?