I’m just building a custom version of our gadget snap. Most of the preparations are already done by canonical (we did an enrollment project together).
I have a prefabricated buildscript, which asks for the “API Key”. I have this API Key, in plaintext in the buildscript, so far I can work with with. I then tried to find out what this key is, and where would it come from resp. how would I get it if I would not have it in plain text.
From a quick poke through the code, it looks like the API Key you’re referencing is used to authenticate requests sent to the service at https://serial-vault-partners.canonical.com/v1/. This is running Serial Vault whose source can be found at https://github.com/CanonicalLtd/serial-vault. I think this service is for providing a device with signatures and keys to use for accessing the Snap Store, or Brand Store, though I don’t have enough knowledge to state that categorically. Hopefully a person from Canonical will spot this and reply
@lucyllewy is correct, the API key is provided to snapd by the gadget snap when a device is first booted (i.e. during the “seeding” process) to snapd, and then snapd uses that when it makes a request for a serial assertion from either a device service (another term for the serial vault) or from the generic snap store (in the case of using a specific device service, the gadget snap must also provide to snapd the URL of the device service). A specific device service like the serial vault is typically only used for branded devices with a brand store, otherwise generic devices will ask the snap store directly and get a generic serial assertion. Both the URL of the serial vault and the API key is provided via the prepare-device hook in the gadget snap, you see some more details here: https://core.docs.ubuntu.com/en/guides/build-device/gadget
This depends on who is managing the serial vault, if you are using one managed by Canonical or running your own via the link provided above for the serial-vault.
Thanks a lot for your answers, I got also help from canonical they spottet the question. We have our own brand store and I got some PDF’s for explanation. So for the others who are interested:
There is a webapplication available online which gives the possibility to manage the serial vault.
Inside this serial fault, one can generate this API key’s and then they can be added to the model. The public part of this API key can also be viewed later on. The private part is linked to the accounts in the background and can not be viewed resp. downloaded later on.
In our case, as ijohnson pointed, we are a device manufacture and build as much as possible by our own. So we have our own snap store, our own serial vault, custom models which fit our custom hardware, with a custom image.