Add distro/ubuntuCore for UC26 snap and image builds.

Centralize salmanoff snapcraft, dangerous-model image scripts, and QEMU
workflow so UC26 can be reproduced from the SMO repo without ubuntu-core-practice.

Co-authored-by: Cursor <cursoragent@cursor.com>

distro/ubuntuCore/scripts/sign-dev-assertions.sh

@@ -0,0 +1,106 @@
+#!/usr/bin/env bash
+# Sign dangerous-grade model + system-user assertions for salmanoff-dev-amd64.
+set -euo pipefail
+
+UC_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+ENV_FILE="${UC_ROOT}/config/dev-image.env"
+MODEL_TEMPLATE="${UC_ROOT}/models/salmanoff-dev-amd64.model.json"
+ASSERT_DIR="${UC_ROOT}/assertions"
+
+usage() {
+    cat <<'EOF'
+Usage: sign-dev-assertions.sh [OPTIONS]
+
+Sign the dev model assertion and a system-user assertion (SSH key, no Ubuntu One).
+
+Requires config/dev-image.env (see scripts/setup-dev-signing.sh).
+
+Outputs:
+  models/salmanoff-dev-amd64.model
+  assertions/smo-system-user.assert   (account + account-key + system-user chain)
+EOF
+}
+
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        -h|--help) usage; exit 0 ;;
+        *) echo "Unknown option: $1" >&2; usage >&2; exit 1 ;;
+    esac
+done
+
+if [[ ! -f "$ENV_FILE" ]]; then
+    echo "Missing $ENV_FILE — run scripts/setup-dev-signing.sh first" >&2
+    exit 1
+fi
+# shellcheck source=/dev/null
+source "$ENV_FILE"
+
+: "${ACCOUNT_ID:?ACCOUNT_ID not set in $ENV_FILE}"
+: "${SIGN_KEY_NAME:?SIGN_KEY_NAME not set in $ENV_FILE}"
+: "${SYSTEM_USER_NAME:=smo}"
+: "${SYSTEM_USER_EMAIL:=smo-dev@salmanoff}"
+: "${SSH_PUBKEY_FILE:=config/ssh/smo-dev.pub}"
+: "${MODEL_NAME:=salmanoff-dev-amd64}"
+
+SSH_PUBKEY_PATH="${UC_ROOT}/${SSH_PUBKEY_FILE}"
+if [[ ! -f "$SSH_PUBKEY_PATH" ]]; then
+    echo "SSH public key not found: $SSH_PUBKEY_PATH" >&2
+    echo "Run scripts/setup-dev-signing.sh" >&2
+    exit 1
+fi
+
+KEY_FP="$(snap keys 2>/dev/null | awk -v k="$SIGN_KEY_NAME" '$1 == k {print $2}')"
+if [[ -z "$KEY_FP" ]]; then
+    echo "Signing key '$SIGN_KEY_NAME' not found. Run scripts/setup-dev-signing.sh" >&2
+    exit 1
+fi
+
+if ! snap known --remote account-key "public-key-sha3-384=${KEY_FP}" >/dev/null 2>&1; then
+    echo "Key '$SIGN_KEY_NAME' is not registered in the Snap Store." >&2
+    echo "Run: snapcraft register-key $SIGN_KEY_NAME" >&2
+    exit 1
+fi
+
+export GPG_TTY="${GPG_TTY:-$(tty)}"
+
+mkdir -p "$ASSERT_DIR" "${UC_ROOT}/models"
+
+TIMESTAMP="$(date -Iseconds --utc)"
+MODEL_JSON="$(mktemp)"
+MODEL_OUT="${UC_ROOT}/models/${MODEL_NAME}.model"
+SYSTEM_USER_JSON="$(mktemp)"
+SYSTEM_USER_OUT="${ASSERT_DIR}/smo-system-user.assert"
+
+sed -e "s/@ACCOUNT_ID@/${ACCOUNT_ID}/g" \
+    -e "s/@TIMESTAMP@/${TIMESTAMP}/g" \
+    "$MODEL_TEMPLATE" > "$MODEL_JSON"
+
+echo "Signing model → $MODEL_OUT"
+snap sign -k "$SIGN_KEY_NAME" "$MODEL_JSON" > "$MODEL_OUT"
+
+SSH_PUB="$(tr -d '\n' < "$SSH_PUBKEY_PATH")"
+cat > "$SYSTEM_USER_JSON" <<EOF
+{
+  "type": "system-user",
+  "authority-id": "${ACCOUNT_ID}",
+  "brand-id": "${ACCOUNT_ID}",
+  "series": ["16"],
+  "models": ["${MODEL_NAME}"],
+  "name": "Salmanoff Dev",
+  "username": "${SYSTEM_USER_NAME}",
+  "email": "${SYSTEM_USER_EMAIL}",
+  "ssh-keys": ["${SSH_PUB}"],
+  "since": "2026-06-21T00:00:00+00:00",
+  "until": "2064-06-21T00:00:00+00:00"
+}
+EOF
+
+echo "Signing system-user chain → $SYSTEM_USER_OUT"
+snap sign -k "$SIGN_KEY_NAME" "$SYSTEM_USER_JSON" --chain > "$SYSTEM_USER_OUT"
+
+rm -f "$MODEL_JSON" "$SYSTEM_USER_JSON"
+
+echo ""
+echo "Model authority/brand: $ACCOUNT_ID"
+echo "System user: ${SYSTEM_USER_NAME} (SSH pubkey from ${SSH_PUBKEY_FILE})"
+echo "Signing key: ${SIGN_KEY_NAME} (${KEY_FP})"