System-User Assertions and the system time

systems defaulting to a 1970 date should not be possible if they are ported correctly.

using the (kind of mandatory) "fixrtc" commandline option on the kernel commandline. this will always set the system time to either last mount time or creation time of the image.

Some observations that people have made:

* Why check a date range on the system-user assertion. If snapd just checked the expiry timestamp of the assertion, then that may be all that's needed - and it should work in most cases.

* An attempt to prevent use of signed messages based on the *local* clock is unreliable. In most cases, the device owner can directly manipulate the clock and, where they can't, they can
likely insert a spoofed ntp daemon on the network, unless we use an authenticated time source.

The fixrtc solution feels like a bit of a workaround and not a solution. Even with the date/time set by fixrtc we've seen valid system-user assertions fail. The problem is that when a system-user assertion fails, you cannot login to the device to check the logs. From what I remember, it's a silent fail so you have no idea why the system-user is not created.

To me, the main issue is that validating a signed messaged on the local clock isn't secure or reliable.

Including the patch from LP: #1696981 would be an improvement on the current fixrtc, as it looks into the date of some files in the system. I have found that some times the mount date is 1970 on first boot.

if fixrtc works the date can not be 1970 ... (it can surely be off by some margin but never be the epoch)

i know there was a discussion about simply dropping the date checks from assertion verification but i can not find it on https://forum.snapcraft.io now ...

I'm moving this to the snapd project and triaging as high importance.