Snapcraft

When revoking an existing validation assertion, snapcraft validate fails

Bug #1912332 reported by Natalia Bidart
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Snapcraft
Fix Released
Undecided
Unassigned

Bug Description

Recently some code was added so snapcraft validate would accept a --revoke flag so existing validations could be revoked. When used against staging or prod, this is currently failing with:

'There is already a validation assertion stored for snap-id <snapid> in this context.'

This is a 409 error from the store, which in turns gets it from the snap-assertion-service. The problem is that, for a validation assertion, the primary key is:

series
snap-id
approved-snap-id
approved-snap-revision

So when sending a revoked validation assertion, the primary key does not change and the assertion service fails with 409 (conflict).

The fix for this is to increase the revision of the assertion, for an existing primary key. To do that, snapcraft needs:

1- Find out if there is an existing validation assertion for the given primary key

curl -s -H "Accept: application/json" "https://api.snapcraft.io/api/v1/snaps/assertions/validation/16/<snap-id>/<approved-snap-id>/<approved-snap-revision>" | jq -S

2- If there is one, check if the assertion has a "revision" field, otherwise assume revision is 0

3- Create the new (revoked) assertion incrementing the revision by 1

4- Sign and push to the store

Furthermore, generalizing this concept, these steps should also be applied when "unrevoking", and basically every time an assertion is being built and signed: snapcraft should try to get an existing assertion for a given assertion key, and if there is a match, craft a new one increasing the revision, to avoid the 409 from the assertion service.

Revision history for this message
Natalia Bidart (nataliabidart) wrote :

Attaching a script to act as a workaround for this issue. Instructions to use it:

1- be sure to have handy the snap ID of the gating snap, the account ID of the publisher of the gating snap, the snap ID of the gated snap and the gated revision that it's being revoked

2- be sure you have access to a valid, store-registered key belonging to the publisher of the gating snap

3- install "surl" (source code at https://github.com/Roadmaster/surl/), which is a CLI helper to make macaroon-authenticated requests against the store APIs

    $ sudo snap install surl

3- obtain a suitable macaroon with the right permissions to (later) upload the new assertion to the store:

     $ surl -a store-token -e <publisher-email> -p package_access -p package_release -s production

4- generate and sign a new (local) revision of the validation assertion revoking a previous validation (this will create a file that you can review later, nothing will be pushed to the store yet):

    $ python3 revoke_assertion.py <publisher-account-id> <gating-snap-id> <gated-snap-id> <gated-revision> --key <key-name>

5- Review the output and execute the printed surl command

Example of a run:

    $ python3 revoke_assertion.py AfdTtIZrrGjK2D0xQgvZmGJiVIt6Y3cd ivnP3NKZiyReJIJdlzXBRxxl4n3SkcnC 99T7MUlRhtI3U0QFgl5mXXESAiSwt776 9437 --key validations-test

** Please review the assertion before submitting it to the store, assertion was signed and stored in:

 /home/nessita/ivnP3NKZiyReJIJdlzXBRxxl4n3SkcnC-99T7MUlRhtI3U0QFgl5mXXESAiSwt776-9437-r3.assertion

** After assertion review, submit it to the store with:

surl -a store-token -X PUT https://dashboard.snapcraft.io//dev/api/snaps/ivnP3NKZiyReJIJdlzXBRxxl4n3SkcnC/validations -d '{"assertion": "type: validation\nauthority-id: AfdTtIZrrGjK2D0xQgvZmGJiVIt6Y3cd\nrevision: 3\nseries: 16\nsnap-id: ivnP3NKZiyReJIJdlzXBRxxl4n3SkcnC\napproved-snap-id: 99T7MUlRhtI3U0QFgl5mXXESAiSwt776\napproved-snap-revision: 9437\nrevoked: true\ntimestamp: 2021-01-20T14:28:59.663730Z\nsign-key-sha3-384: 39Yykj3WyH-fL3h-Q_3YSlDlEj-XUlT-SxYd6qTJL4dN3BP2Q0rGRO2lQm7XZiEm\n\nAcLBcwQAAQoAHRYhBJAtR/3peIgjQB/uhd0t1+KrVFrbBQJgCD4rAAoJEN0t1+KrVFrbyfMP/j1g\nWnUDvSMpuAJ4hOzI5U3Qt/j9mzhNnpXKw/OuLH3rYGRWEQFMlRZHRc6myOlEZovhORkhy/WJjszR\nP9WA4uNXOzFnZc/dfj74AQwBio5JqMqBcGoIMZi6AgmJ4tyJAJkvxz/lrGLqXftMa9/Yv+bC9tN8\nqHnyBaKc7rjxEjXfeAljBhZbl/ovUlPb+/cCrYIS4gc3rvoAhB8SDboG6h4SVCCzyquyU+MogZQ9\nH3GYw8jKhjrfVMJd/jexanLH2dhAfu4vL7so7yO6VnkEeDMg8W00EA75i8vXUnHi4XrboUvu2tF2\njbJmbPAiyL/C3XDo6eCOZovZE3q7KJaNIwhkig278x1VzCiy+yhq0rbrMgXx8/AqGkGIHE80d3Th\n5Z95QiUObTkW3kIjyDhUYLuy4dG5ikstE7DUC1pL0mzNMZwhTwJzhXZM7HYbwXGFtZC8Jx+CxuMR\nPql1k0jOk4NKHktFaQ5D8ARR0rdU9HGuzkqpOOas9D9tuigOXw8U2gIEdHpWHJJCvPkG1PzRblkx\nBAf45pob9ujVZckUAtBGsmyGrNsJoGk7JitYEhcgJd9KQqU21sZeV/XyGgW4wd8L9X7DJJxdwutP\n1qbxzgCaSFCtDRv7MJWHnhnBkWAoEDGXThdEWLXesPEKNDn1bGpL9lDldqhHumAdsXnSKaET\n"}'

Sergio Schvezov (sergiusens)
Changed in snapcraft:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.