Skip to content

asserts: trust a second syncloud root account-key (key rotation, Phase 1)#5

Open
cyberb wants to merge 1 commit into
masterfrom
add-second-trusted-key
Open

asserts: trust a second syncloud root account-key (key rotation, Phase 1)#5
cyberb wants to merge 1 commit into
masterfrom
add-second-trusted-key

Conversation

@cyberb

@cyberb cyberb commented Jul 6, 2026

Copy link
Copy Markdown
Member

Why

Phase 1 of rotating the syncloud signing key. The current root signing key's private half has been exposed (committed in the store repo), so it must be rotated. Rotating snapd's trust anchor over an installed fleet requires an overlap window where devices trust both the old and new key before the store switches signing keys.

What

Adds a second syncloud root account-key (public-key-sha3-384: NX7IJUak…) to the trusted assertion set in asserts/sysdb/trusted.go, alongside the existing one. A device running this snapd trusts assertions signed by either key.

Nothing changes behaviourally yet — the store still signs with the old key. This just prepares the fleet.

Key hygiene

  • New key generated offline; private half is not in source — it is staged only as a store CI secret (see the companion store PR).
  • The account-key was produced via snapd's own asserts encoding, and its self-signature was verified independently with raw openpgp (not the fork's SignatureCheck, which currently always passes) before embedding.

Rollout sequence

  1. (this PR) trust old+new → ship to fleet.
  2. store: fix signing to canonical format, still old key.
  3. remove the signature-verification hack once assertions verify; ship hack-free snapd (old+new).
  4. store: switch active key to new.
  5. later: drop the old key from the trusted set.

Related: store PR adding the new key as a CI secret (loaded but not enabled).

Add a second syncloud root account-key (public-key-sha3-384
NX7IJUak...) to the trusted assertion set, alongside the existing one.

This is Phase 1 of signing-key rotation: devices that pick up this
snapd will trust assertions signed by EITHER the old or the new key.
The store still signs with the old key, so nothing changes yet. Once
the fleet trusts both keys, the store can be switched to the new key,
and the old key dropped from the trusted set in a later change.

The new key pair was generated offline; its private half is kept out of
source (staged only as a store CI secret). The account-key's
self-signature was verified independently (raw openpgp) before
embedding.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant