asserts: trust a second syncloud root account-key (key rotation, Phase 1)#5
Open
cyberb wants to merge 1 commit into
Open
asserts: trust a second syncloud root account-key (key rotation, Phase 1)#5cyberb wants to merge 1 commit into
cyberb wants to merge 1 commit into
Conversation
Add a second syncloud root account-key (public-key-sha3-384 NX7IJUak...) to the trusted assertion set, alongside the existing one. This is Phase 1 of signing-key rotation: devices that pick up this snapd will trust assertions signed by EITHER the old or the new key. The store still signs with the old key, so nothing changes yet. Once the fleet trusts both keys, the store can be switched to the new key, and the old key dropped from the trusted set in a later change. The new key pair was generated offline; its private half is kept out of source (staged only as a store CI secret). The account-key's self-signature was verified independently (raw openpgp) before embedding.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Phase 1 of rotating the syncloud signing key. The current root signing key's private half has been exposed (committed in the store repo), so it must be rotated. Rotating snapd's trust anchor over an installed fleet requires an overlap window where devices trust both the old and new key before the store switches signing keys.
What
Adds a second syncloud root
account-key(public-key-sha3-384: NX7IJUak…) to the trusted assertion set inasserts/sysdb/trusted.go, alongside the existing one. A device running this snapd trusts assertions signed by either key.Nothing changes behaviourally yet — the store still signs with the old key. This just prepares the fleet.
Key hygiene
assertsencoding, and its self-signature was verified independently with raw openpgp (not the fork'sSignatureCheck, which currently always passes) before embedding.Rollout sequence
Related: store PR adding the new key as a CI secret (loaded but not enabled).