Add distro/ubuntuCore for UC26 snap and image builds.

Centralize salmanoff snapcraft, dangerous-model image scripts, and QEMU workflow so UC26 can be reproduced from the SMO repo without ubuntu-core-practice. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-25 23:01:52 -04:00
parent 44d12eeb9e
commit 038d59f972
17 changed files with 1295 additions and 0 deletions
@@ -0,0 +1,120 @@
+#!/usr/bin/env bash
+# One-time setup: Ubuntu One login + GPG signing key for custom UC26 dev models.
+set -euo pipefail
+
+UC_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+ENV_FILE="${UC_ROOT}/config/dev-image.env"
+EXAMPLE="${UC_ROOT}/config/dev-image.env.example"
+KEY_NAME="${SIGN_KEY_NAME:-salmanoff-dev}"
+SSH_DIR="${UC_ROOT}/config/ssh"
+SSH_PRIV="${SSH_DIR}/smo-dev"
+SSH_PUB="${SSH_DIR}/smo-dev.pub"
+
+usage() {
+    cat <<'EOF'
+Usage: setup-dev-signing.sh [OPTIONS]
+
+Prepare signing credentials for dangerous-grade salmanoff-dev-amd64 images.
+
+This script:
+  1. Ensures an SSH keypair exists for the seeded system user (smo).
+  2. Guides snapcraft login + create-key + register-key (interactive).
+  3. Writes config/dev-image.env with your Snap Store account id.
+
+Options:
+  --key-name NAME   Signing key name (default: salmanoff-dev)
+  -h, --help        Show this help
+
+After setup, run:
+  scripts/sign-dev-assertions.sh
+  scripts/build-dev-image.sh
+EOF
+}
+
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --key-name) KEY_NAME="$2"; shift 2 ;;
+        -h|--help) usage; exit 0 ;;
+        *) echo "Unknown option: $1" >&2; usage >&2; exit 1 ;;
+    esac
+done
+
+mkdir -p "$SSH_DIR"
+
+if [[ ! -f "$SSH_PUB" ]]; then
+    echo "Generating SSH keypair for system user: $SSH_PRIV"
+    ssh-keygen -t ed25519 -N "" -f "$SSH_PRIV" -C "smo-dev@salmanoff"
+fi
+
+if ! command -v snapcraft >/dev/null 2>&1; then
+    echo "snapcraft not found. Install with: sudo snap install snapcraft --classic" >&2
+    exit 1
+fi
+
+echo ""
+echo "=== Step 1: log in to the Snap Store (Ubuntu One) ==="
+echo "Run:  snapcraft login"
+echo ""
+if ! snapcraft whoami >/dev/null 2>&1; then
+    echo "Not logged in yet. Complete 'snapcraft login' in this terminal, then re-run this script." >&2
+    exit 1
+fi
+
+ACCOUNT_ID="$(snapcraft whoami 2>/dev/null | awk '/^id:/ {print $2}')"
+if [[ -z "$ACCOUNT_ID" ]]; then
+    echo "Could not read account id from 'snapcraft whoami'" >&2
+    exit 1
+fi
+echo "Account id: $ACCOUNT_ID"
+
+echo ""
+echo "=== Step 2: create and register a signing key ==="
+if ! snap keys 2>/dev/null | awk 'NR>1 {print $1}' | grep -qx "$KEY_NAME"; then
+    echo "No local key named '$KEY_NAME'."
+    echo "Run interactively (you will choose a passphrase):"
+    echo "  snapcraft create-key $KEY_NAME"
+    echo "  snapcraft register-key $KEY_NAME"
+    echo ""
+    echo "Re-run this script after both commands succeed." >&2
+    exit 1
+fi
+
+KEY_FP="$(snap keys 2>/dev/null | awk -v k="$KEY_NAME" '$1 == k {print $2}')"
+if [[ -z "$KEY_FP" ]]; then
+    echo "Could not read SHA3-384 fingerprint for key '$KEY_NAME'" >&2
+    exit 1
+fi
+
+if ! snap known --remote account-key "public-key-sha3-384=${KEY_FP}" >/dev/null 2>&1; then
+    echo "Key '$KEY_NAME' exists locally but is not registered in the store."
+    echo "Run:  snapcraft register-key $KEY_NAME"
+    echo "Then re-run this script." >&2
+    exit 1
+fi
+
+echo "Signing key: $KEY_NAME ($KEY_FP)"
+
+if [[ ! -f "$ENV_FILE" ]]; then
+    cp "$EXAMPLE" "$ENV_FILE"
+fi
+
+tmp="$(mktemp)"
+while IFS= read -r line || [[ -n "$line" ]]; do
+    case "$line" in
+        ACCOUNT_ID=*) echo "ACCOUNT_ID=${ACCOUNT_ID}" ;;
+        SIGN_KEY_NAME=*) echo "SIGN_KEY_NAME=${KEY_NAME}" ;;
+        SSH_PUBKEY_FILE=*) echo "SSH_PUBKEY_FILE=config/ssh/smo-dev.pub" ;;
+        *) echo "$line" ;;
+    esac
+done < "$ENV_FILE" > "$tmp"
+mv "$tmp" "$ENV_FILE"
+
+echo ""
+echo "Wrote $ENV_FILE"
+echo ""
+echo "Next:"
+echo "  scripts/sign-dev-assertions.sh"
+echo "  scripts/build-dev-image.sh"
+echo ""
+echo "SSH to the VM after first boot:"
+echo "  ssh -i ${SSH_PRIV} smo@localhost -p 8022"