App store commissioning
SMART START customers benefit from their own IoT app store. While app stores are hosted by Canonical, they are entirely operated by customers. This section describes the first steps a customer takes when commissioning their app store.
IoT app store overview
Owners curate content to include in their IoT app stores. This content can comprise private snaps and third party snaps (from the community or ecosystem partners). Apps can only be accessed by authenticated and authorised devices. The serial vault is the private device provisioning service (for authentication) associated with an IoT app store.
Commissioning an IoT app store occurs in four simple steps:
1. Create a IoT app store
The first step is to create a brand account. A brand account has extensive permissions. It can be used for certain functions including to:
- Generate, register and hold the signing keys for all associated IoT app stores.
- Sign configuration files used to build device images with access to the IoT app store.
- Register key software components hosted in the app store (kernels and bootloaders).
2. Create SSO accounts and assign roles
IoT app stores are administered via a dashboard. Ubuntu SSO is the identity provider for the IoT app store. Each account requires an email address. .
The app store administrators can assign the following roles to accounts:
|Store Administrator||Assign roles to other accounts
Curate snaps hosted in the store
Manage keys stored in the serial vault
|Publisher||Publisher Register snap names in the store
Configure a team of collaborators for such snaps.
Publish specific snap revisions
|Collaborator||Upload snap revisions to the store
Release snap revisions onto store channels
|Reviewer||Accept uploaded snap revisions before the revision can be published|
|Viewer||Download snaps from IoT app stores
Build images that include snaps published in IoT app stores
3. Configure the serial vault
A serial vault stores various keys and also provides signed configuration files to devices. These keys allow devices to authenticate against IoT app stores. At first boot, a device running Ubuntu Core will perform a provisioning step to retrieve a signed configuration file from the serial vault and establish a session with the IoT app store.
The main configuration files that are stored and served by the serial vault are:
|Account key||Cryptographic key used to sign assertions|
|Model assertion||The model assertion is a statement by a brand about the properties of a device model. It should contain all information needed to create an Ubuntu Core image|
|Serial assertion||A statement binding a device identity with the device public key.|
All of these are used by the device, serial vault and IoT app store to verify and manage the access to a device.
4. Create sub-stores
Store Administrators can create derivative IoT app stores hierarchically tied to their account. Sub stores can be created for the following use cases:
- Product sub stores: enterprises with a product portfolio can create sub stores associated with different product lines or to specific product models.
- Ecosystem sub stores: enterprises can create stores on behalf of their ecosystem partners. These could be resellers, subsidiaries or business partners.