asserts: key rotation — trust second root key + remove signature-check hack#5
Merged
Conversation
Add a second syncloud root account-key (public-key-sha3-384 NX7IJUak...) to the trusted assertion set, alongside the existing one. This is Phase 1 of signing-key rotation: devices that pick up this snapd will trust assertions signed by EITHER the old or the new key. The store still signs with the old key, so nothing changes yet. Once the fleet trusts both keys, the store can be switched to the new key, and the old key dropped from the trusted set in a later change. The new key pair was generated offline; its private half is kept out of source (staged only as a store CI secret). The account-key's self-signature was verified independently (raw openpgp) before embedding.
Both SignatureCheck and CheckSignature swallowed signature-verification failures and returned nil, so snapd accepted any assertion regardless of its cryptographic signature. Restore the real error return and drop the associated debug prints and now-unused logger imports. Safe to do now that the store emits canonical, verifying assertions (syncloud/store: canonical signer). Validated end-to-end by the store e2e installing a snap from the store with this snapd.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Combined key-rotation change for snapd. Do not merge yet — for review.
1. Trust a second syncloud root account-key
Adds a second syncloud root
account-key(public-key-sha3-384: NX7IJUak…) to the trusted set inasserts/sysdb/trusted.go, alongside the existing one. Devices then trust assertions signed by either key — the overlap window needed to rotate the store's signing key. New key's private half is not in source (staged as a store CI secret; self-signature independently verified).2. Remove the signature-verification hack
SignatureCheckandCheckSignatureswallowed verification failures and returned nil, so snapd accepted any assertion regardless of signature. Restores the real error return and drops the debug prints + now-unusedloggerimports.Safe because the store now emits canonical, verifying assertions (syncloud/store canonical signer, already in prod).
Validation
keymgrtests fail).snap install testapp1from the canonical store succeeds under real verification.Rollout order (after review/merge)
The canonical store is already in prod, so devices picking up this snapd verify correctly. Flip the store to the new key only once the fleet trusts both; drop the old key later.