hayodea/salmanoff
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
Files
038d59f97246d87ad0dbc3e0e8c04ca959fd6b15
salmanoff/distro/ubuntuCore/scripts/sign-dev-assertions.sh
T
hayodea 038d59f972 Add distro/ubuntuCore for UC26 snap and image builds. 
Centralize salmanoff snapcraft, dangerous-model image scripts, and QEMU
workflow so UC26 can be reproduced from the SMO repo without ubuntu-core-practice.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-25 23:01:52 -04:00

107 lines
3.1 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# Sign dangerous-grade model + system-user assertions for salmanoff-dev-amd64.
set -euo pipefail
UC_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
ENV_FILE="${UC_ROOT}/config/dev-image.env"
MODEL_TEMPLATE="${UC_ROOT}/models/salmanoff-dev-amd64.model.json"
ASSERT_DIR="${UC_ROOT}/assertions"
usage() {
cat <<'EOF'
Usage: sign-dev-assertions.sh [OPTIONS]
Sign the dev model assertion and a system-user assertion (SSH key, no Ubuntu One).
Requires config/dev-image.env (see scripts/setup-dev-signing.sh).
Outputs:
models/salmanoff-dev-amd64.model
assertions/smo-system-user.assert (account + account-key + system-user chain)
EOF
}
while [[ $# -gt 0 ]]; do
case "$1" in
-h|--help) usage; exit 0 ;;
*) echo "Unknown option: $1" >&2; usage >&2; exit 1 ;;
esac
done
if [[ ! -f "$ENV_FILE" ]]; then
echo "Missing $ENV_FILE — run scripts/setup-dev-signing.sh first" >&2
exit 1
fi
# shellcheck source=/dev/null
source "$ENV_FILE"
: "${ACCOUNT_ID:?ACCOUNT_ID not set in $ENV_FILE}"
: "${SIGN_KEY_NAME:?SIGN_KEY_NAME not set in $ENV_FILE}"
: "${SYSTEM_USER_NAME:=smo}"
: "${SYSTEM_USER_EMAIL:=smo-dev@salmanoff}"
: "${SSH_PUBKEY_FILE:=config/ssh/smo-dev.pub}"
: "${MODEL_NAME:=salmanoff-dev-amd64}"
SSH_PUBKEY_PATH="${UC_ROOT}/${SSH_PUBKEY_FILE}"
if [[ ! -f "$SSH_PUBKEY_PATH" ]]; then
echo "SSH public key not found: $SSH_PUBKEY_PATH" >&2
echo "Run scripts/setup-dev-signing.sh" >&2
exit 1
fi
KEY_FP="$(snap keys 2>/dev/null | awk -v k="$SIGN_KEY_NAME" '$1 == k {print $2}')"
if [[ -z "$KEY_FP" ]]; then
echo "Signing key '$SIGN_KEY_NAME' not found. Run scripts/setup-dev-signing.sh" >&2
exit 1
fi
if ! snap known --remote account-key "public-key-sha3-384=${KEY_FP}" >/dev/null 2>&1; then
echo "Key '$SIGN_KEY_NAME' is not registered in the Snap Store." >&2
echo "Run: snapcraft register-key $SIGN_KEY_NAME" >&2
exit 1
fi
export GPG_TTY="${GPG_TTY:-$(tty)}"
mkdir -p "$ASSERT_DIR" "${UC_ROOT}/models"
TIMESTAMP="$(date -Iseconds --utc)"
MODEL_JSON="$(mktemp)"
MODEL_OUT="${UC_ROOT}/models/${MODEL_NAME}.model"
SYSTEM_USER_JSON="$(mktemp)"
SYSTEM_USER_OUT="${ASSERT_DIR}/smo-system-user.assert"
sed -e "s/@ACCOUNT_ID@/${ACCOUNT_ID}/g" \
-e "s/@TIMESTAMP@/${TIMESTAMP}/g" \
"$MODEL_TEMPLATE" > "$MODEL_JSON"
echo "Signing model → $MODEL_OUT"
snap sign -k "$SIGN_KEY_NAME" "$MODEL_JSON" > "$MODEL_OUT"
SSH_PUB="$(tr -d '\n' < "$SSH_PUBKEY_PATH")"
cat > "$SYSTEM_USER_JSON" <<EOF
{
"type": "system-user",
"authority-id": "${ACCOUNT_ID}",
"brand-id": "${ACCOUNT_ID}",
"series": ["16"],
"models": ["${MODEL_NAME}"],
"name": "Salmanoff Dev",
"username": "${SYSTEM_USER_NAME}",
"email": "${SYSTEM_USER_EMAIL}",
"ssh-keys": ["${SSH_PUB}"],
"since": "2026-06-21T00:00:00+00:00",
"until": "2064-06-21T00:00:00+00:00"
}
EOF
echo "Signing system-user chain → $SYSTEM_USER_OUT"
snap sign -k "$SIGN_KEY_NAME" "$SYSTEM_USER_JSON" --chain > "$SYSTEM_USER_OUT"
rm -f "$MODEL_JSON" "$SYSTEM_USER_JSON"
echo ""
echo "Model authority/brand: $ACCOUNT_ID"
echo "System user: ${SYSTEM_USER_NAME} (SSH pubkey from ${SSH_PUBKEY_FILE})"
echo "Signing key: ${SIGN_KEY_NAME} (${KEY_FP})"
Reference in New Issue View Git Blame Copy Permalink