anonymouse64 · September 25, 2020 10:28
diff --git a/sign-system-user-assertion.sh b/sign-system-user-assertion.sh
 #!/bin/bash

 set -e

 # first argument is the name of the key to sign the assertion with
 if [ "$#" != 1 ]; then
    echo "usage: ./sign-system-user-assertion <key-name>"
    exit 1
 fi

 KEYNAME="$1"

 # first get public SHA3 signature of your account key from snapcraft list-keys
 publicSHA3=$(snapcraft list-keys | grep "$KEYNAME" | awk '{print $3}')

 # make sure that we didn't pick up more than one key if you have multiple keys matching the provided name
 if [ "$(echo "$publicSHA3" | wc -w)" != "1" ]; then 
  echo "invalid number of keys found, must be exactly 1"
  exit 1
 fi

 # first always output the "account-key" assertion for this account key
 accountKeyAssertion=$(snap known --remote account-key "public-key-sha3-384=$publicSHA3")

 # then get the account-id from the account-key assertion to get the "account" assertion
 accountID=$(echo "$accountKeyAssertion" | grep -Po "account-id: \K.*")

 # get the "account" assertion
 accountAssertion=$(snap known --remote account "account-id=$accountID")

 # read the json input to get the account-id for the authority-id and the brand-id
 jsonInput="$(cat)"

 # TODO: what about system user assertions that do not have the same authority-id and 
 #       brand-id as the account which is being used to sign the assertion? Those 
 #       probably also need to be included too?

 # brandIDAccountID=$(echo "$jsonInput" | jq -r '.brand-id')

 # if [ "$brandIDAccountID" != "$accountID" ]; then
 #   brandAccountAssertion=$(snap known --remote account "account-id=$brandIDAccountID")
 # fi

 # output the first two assertions
 echo "$accountKeyAssertion"
 echo "$accountAssertion"

 # finally sign the document, this will go back out to stdout
 echo "$jsonInput" | snap sign -k "$KEYNAME"
	#!/bin/bash

	set -e

	# first argument is the name of the key to sign the assertion with
	if [ "$#" != 1 ]; then
	echo "usage: ./sign-system-user-assertion <key-name>"
	exit 1
	fi

	KEYNAME="$1"

	# first get public SHA3 signature of your account key from snapcraft list-keys
	publicSHA3=$(snapcraft list-keys \| grep "$KEYNAME" \| awk '{print $3}')

	# make sure that we didn't pick up more than one key if you have multiple keys matching the provided name
	if [ "$(echo "$publicSHA3" \| wc -w)" != "1" ]; then
	echo "invalid number of keys found, must be exactly 1"
	exit 1
	fi

	# first always output the "account-key" assertion for this account key
	accountKeyAssertion=$(snap known --remote account-key "public-key-sha3-384=$publicSHA3")

	# then get the account-id from the account-key assertion to get the "account" assertion
	accountID=$(echo "$accountKeyAssertion" \| grep -Po "account-id: \K.*")

	# get the "account" assertion
	accountAssertion=$(snap known --remote account "account-id=$accountID")

	# read the json input to get the account-id for the authority-id and the brand-id
	jsonInput="$(cat)"

	# TODO: what about system user assertions that do not have the same authority-id and
	# brand-id as the account which is being used to sign the assertion? Those
	# probably also need to be included too?

	# brandIDAccountID=$(echo "$jsonInput" \| jq -r '.brand-id')

	# if [ "$brandIDAccountID" != "$accountID" ]; then
	# brandAccountAssertion=$(snap known --remote account "account-id=$brandIDAccountID")
	# fi

	# output the first two assertions
	echo "$accountKeyAssertion"
	echo "$accountAssertion"

	# finally sign the document, this will go back out to stdout
	echo "$jsonInput" \| snap sign -k "$KEYNAME"