simplistic shell script for creating system-user assertions for use with snapd/ubuntu core

sign-system-user-assertion.sh

#!/bin/bash

set -e

# first argument is the name of the key to sign the assertion with
if [ "$#" != 1 ]; then
    echo "usage: ./sign-system-user-assertion <key-name>"
    exit 1
fi

KEYNAME="$1"

# first get public SHA3 signature of your account key from snapcraft list-keys
publicSHA3=$(snapcraft list-keys | grep "$KEYNAME" | awk '{print $3}')

# make sure that we didn't pick up more than one key if you have multiple keys matching the provided name
if [ "$(echo "$publicSHA3" | wc -w)" != "1" ]; then 
  echo "invalid number of keys found, must be exactly 1"
  exit 1
fi

# first always output the "account-key" assertion for this account key
accountKeyAssertion=$(snap known --remote account-key "public-key-sha3-384=$publicSHA3")

# then get the account-id from the account-key assertion to get the "account" assertion
accountID=$(echo "$accountKeyAssertion" | grep -Po "account-id: \K.*")

# get the "account" assertion
accountAssertion=$(snap known --remote account "account-id=$accountID")

# read the json input to get the account-id for the authority-id and the brand-id
jsonInput="$(cat)"

# TODO: what about system user assertions that do not have the same authority-id and 
#       brand-id as the account which is being used to sign the assertion? Those 
#       probably also need to be included too?

# brandIDAccountID=$(echo "$jsonInput" | jq -r '.brand-id')

# if [ "$brandIDAccountID" != "$accountID" ]; then
#   brandAccountAssertion=$(snap known --remote account "account-id=$brandIDAccountID")
# fi

# output the first two assertions
echo "$accountKeyAssertion"
echo "$accountAssertion"

# finally sign the document, this will go back out to stdout
echo "$jsonInput" | snap sign -k "$KEYNAME"