Skip to content

asserts: key rotation — trust second root key + remove signature-check hack#5

Merged
cyberb merged 2 commits into
masterfrom
add-second-trusted-key
Jul 7, 2026
Merged

asserts: key rotation — trust second root key + remove signature-check hack#5
cyberb merged 2 commits into
masterfrom
add-second-trusted-key

Conversation

@cyberb

@cyberb cyberb commented Jul 6, 2026

Copy link
Copy Markdown
Member

Combined key-rotation change for snapd. Do not merge yet — for review.

1. Trust a second syncloud root account-key

Adds a second syncloud root account-key (public-key-sha3-384: NX7IJUak…) to the trusted set in asserts/sysdb/trusted.go, alongside the existing one. Devices then trust assertions signed by either key — the overlap window needed to rotate the store's signing key. New key's private half is not in source (staged as a store CI secret; self-signature independently verified).

2. Remove the signature-verification hack

SignatureCheck and CheckSignature swallowed verification failures and returned nil, so snapd accepted any assertion regardless of signature. Restores the real error return and drops the debug prints + now-unused logger imports.

Safe because the store now emits canonical, verifying assertions (syncloud/store canonical signer, already in prod).

Validation

  • asserts unit tests pass (only pre-existing environmental keymgr tests fail).
  • End-to-end: built this snapd (hack removed), pointed the store e2e at it — snap install testapp1 from the canonical store succeeds under real verification.
  • Real device: installed on an arm64 device — sees existing apps, services active, operations work, no signature-verification errors.

Rollout order (after review/merge)

The canonical store is already in prod, so devices picking up this snapd verify correctly. Flip the store to the new key only once the fleet trusts both; drop the old key later.

Add a second syncloud root account-key (public-key-sha3-384
NX7IJUak...) to the trusted assertion set, alongside the existing one.

This is Phase 1 of signing-key rotation: devices that pick up this
snapd will trust assertions signed by EITHER the old or the new key.
The store still signs with the old key, so nothing changes yet. Once
the fleet trusts both keys, the store can be switched to the new key,
and the old key dropped from the trusted set in a later change.

The new key pair was generated offline; its private half is kept out of
source (staged only as a store CI secret). The account-key's
self-signature was verified independently (raw openpgp) before
embedding.
Both SignatureCheck and CheckSignature swallowed signature-verification
failures and returned nil, so snapd accepted any assertion regardless of
its cryptographic signature. Restore the real error return and drop the
associated debug prints and now-unused logger imports.

Safe to do now that the store emits canonical, verifying assertions
(syncloud/store: canonical signer). Validated end-to-end by the store
e2e installing a snap from the store with this snapd.
@cyberb cyberb changed the title asserts: trust a second syncloud root account-key (key rotation, Phase 1) asserts: key rotation — trust second root key + remove signature-check hack Jul 7, 2026
@cyberb cyberb merged commit 6fffe26 into master Jul 7, 2026
5 of 9 checks passed
@cyberb cyberb deleted the add-second-trusted-key branch July 7, 2026 11:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant