file system signatures and trust model, was Re: Ubuntu Core: how the file-system works

Oliver Grawert ogra at
Fri Jan 20 15:01:43 UTC 2017

Am Freitag, den 20.01.2017, 09:43 -0500 schrieb George Gross:
> Hi,
> at the risk of wading into the weeds, you mentioned below that:
> " also has the advantage that the core and kernel snaps are
> signed
> readonly squashfses and can not just be modified which adds a great
> amount of extra security."
> Is there a Wiki or document explaining the signature private key's
> life
> cycle management? For example, what process happens when the key
> expires
> or is compromised? Who is the entity that actually *signs* the file
> system?

this is probably something the security and store teams can answer
better than me.

> If you built a custom kernel and/or device drivers, how would your
> binaries interact with this file system signature's verification? Can
> you substitute your own software factory/store's signature?

you would create a complete own image based on your own developer
signature using a signed model assertion.

has details on this.

> If you operate your own private CA and sign some file objects within
> the
> snap, does that CA need to be cross-certified with the trust anchor
> CA
> that is vouching for the identity applying the core/kernel file
> system
> signature?

again something the store people are better suited to answer, i dont
exactly know how the CA store side is set up here :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the Snapcraft mailing list