App store commissioning

SMART START customers benefit from their own IoT app store. While app stores are hosted by Canonical, they are entirely operated by customers. This section describes the first steps a customer takes when commissioning their app store.

IoT app store overview

An illustraion of a brand store architecture

Owners curate content to include in their IoT app stores. This content can comprise private snaps and third party snaps (from the community or ecosystem partners). Apps can only be accessed by authenticated and authorised devices. The serial vault is the private device provisioning service (for authentication) associated with an IoT app store.

Commissioning an IoT app store occurs in four simple steps:

1. Create a IoT app store

The first step is to create a brand account. A brand account has extensive permissions. It can be used for certain functions including to:

  • Generate, register and hold the signing keys for all associated IoT app stores.
  • Sign configuration files used to build device images with access to the IoT app store.
  • Register key software components hosted in the app store (kernels and bootloaders).

2. Create SSO accounts and assign roles

IoT app stores are administered via a dashboard. Ubuntu SSO is the identity provider for the IoT app store. Each account requires an email address. .

The app store administrators can assign the following roles to accounts:

Role Description
Store Administrator Assign roles to other accounts
Curate snaps hosted in the store
Manage keys stored in the serial vault
Publisher Publisher Register snap names in the store
Configure a team of collaborators for such snaps.
Publish specific snap revisions
Collaborator Upload snap revisions to the store
Release snap revisions onto store channels
Reviewer Accept uploaded snap revisions before the revision can be published
Viewer Download snaps from IoT app stores
Build images that include snaps published in IoT app stores

3. Configure the serial vault

A serial vault stores various keys and also provides signed configuration files to devices. These keys allow devices to authenticate against IoT app stores. At first boot, a device running Ubuntu Core will perform a provisioning step to retrieve a signed configuration file from the serial vault and establish a session with the IoT app store.

The main configuration files that are stored and served by the serial vault are:

Resource Description
Account key Cryptographic key used to sign assertions
Model assertion The model assertion is a statement by a brand about the properties of a device model. It should contain all information needed to create an Ubuntu Core image
Serial assertion A statement binding a device identity with the device public key.

All of these are used by the device, serial vault and IoT app store to verify and manage the access to a device.

4. Create sub-stores

Store Administrators can create derivative IoT app stores hierarchically tied to their account. Sub stores can be created for the following use cases:

  • Product sub stores: enterprises with a product portfolio can create sub stores associated with different product lines or to specific product models.
  • Ecosystem sub stores: enterprises can create stores on behalf of their ecosystem partners. These could be resellers, subsidiaries or business partners.

Helpful resources