Sign a model assertion

Sign a model assertion

After a model assertion has been created or modified, it must be signed with a GPG key. This ensures the model cannot be altered without the key and also links the created image to both the signed version of the model and your Ubuntu One account.

This is accomplished in three stages:

1. Create a key

First make sure there are no keys already associated with your account by running the snapcraft keys command (you will only have a key if you’ve previously signed an assertion; if you already have a key, you can use that one):

$ snapcraft keys
No keys have been registered. See 'snapcraft register-key --help' to register a key.

Now use snapcraft to create a key called my-models (the name is arbitrary):

$ snapcraft create-key my-models
Passphrase: <passphrase>
Confirm passphrase: <passphrase>

As shown above, you will be asked for a passphrase. You need to remember this as you’ll be prompted to enter it whenever you use the key, including the very next step.

Note: Rather than creating a key for every device, the same key is typically used across all models or model families.

2. Register the key

We now need to upload the key and register it with your Ubuntu One account. This is accomplished with register-key:

$ snapcraft register-key
Enter your Ubuntu One e-mail address and password.
If you do not have an Ubuntu One account, you can create one at
Email: <Ubuntu-SSO-email-address>
Password: <Ubuntu-SSO-password>

Registering key ...
Done. The key "my-models" (<key fingerprint>) may be used to sign your assertions.

Regardless of whether you’re logged in with snapcraft, you will be asked for your account and password details. You’ll also need to unlock the key with your passphrase, and when the process is complete, the snapcraft keys command will now list the registered key:

$ snapcraft keys
    Name       SHA3-384 fingerprint
*   my-models  <key fingerprint>

Update the timestamp

As mentioned earlier, the timestamp in the model assertion must be set to a time and date after the creation of our key. This means we need to edit my-model.json to update the timestamp with the current time.

    "timestamp": "2022-02-16T12:55:44+00:00",

This is a UTC-formatted time and date value, used to denote the assertion’s creation time. It needs to be replaced with the current time and date, which can be generated with the following command:

$ date -Iseconds --utc

3. Sign the model

A model assertion is created and signed by feeding the JSON file into the snap sign command (along with your recently-created key name), and capturing the output in the corresponding model file:

$ snap sign -k my-models < my-model.json > my-model.model

You will again be asked for your key’s passphrase.

The resultant my-model.model file contains the signed model assertion and can now be used to build the image.

gpg: signing failed: If you encounter a gpg: signing failed error while signing your assertion from a non-desktop session, such as over SSH, run export GPG_TTY=$(tty) first.