Skip to content

Instantly share code, notes, and snippets.

@anonymouse64
Created September 25, 2020 10:28
Show Gist options
  • Save anonymouse64/cc550d1cbb51b67847c2a2ef3fdbe01b to your computer and use it in GitHub Desktop.
Save anonymouse64/cc550d1cbb51b67847c2a2ef3fdbe01b to your computer and use it in GitHub Desktop.
simplistic shell script for creating system-user assertions for use with snapd/ubuntu core
#!/bin/bash
set -e
# first argument is the name of the key to sign the assertion with
if [ "$#" != 1 ]; then
echo "usage: ./sign-system-user-assertion <key-name>"
exit 1
fi
KEYNAME="$1"
# first get public SHA3 signature of your account key from snapcraft list-keys
publicSHA3=$(snapcraft list-keys | grep "$KEYNAME" | awk '{print $3}')
# make sure that we didn't pick up more than one key if you have multiple keys matching the provided name
if [ "$(echo "$publicSHA3" | wc -w)" != "1" ]; then
echo "invalid number of keys found, must be exactly 1"
exit 1
fi
# first always output the "account-key" assertion for this account key
accountKeyAssertion=$(snap known --remote account-key "public-key-sha3-384=$publicSHA3")
# then get the account-id from the account-key assertion to get the "account" assertion
accountID=$(echo "$accountKeyAssertion" | grep -Po "account-id: \K.*")
# get the "account" assertion
accountAssertion=$(snap known --remote account "account-id=$accountID")
# read the json input to get the account-id for the authority-id and the brand-id
jsonInput="$(cat)"
# TODO: what about system user assertions that do not have the same authority-id and
# brand-id as the account which is being used to sign the assertion? Those
# probably also need to be included too?
# brandIDAccountID=$(echo "$jsonInput" | jq -r '.brand-id')
# if [ "$brandIDAccountID" != "$accountID" ]; then
# brandAccountAssertion=$(snap known --remote account "account-id=$brandIDAccountID")
# fi
# output the first two assertions
echo "$accountKeyAssertion"
echo "$accountAssertion"
# finally sign the document, this will go back out to stdout
echo "$jsonInput" | snap sign -k "$KEYNAME"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment