How to sign a snap package?

Mark Shuttleworth mark at ubuntu.com
Wed Jul 27 06:43:43 UTC 2016


On 26/07/16 22:47, Ralf Mardorf wrote:
> On Tue, 26 Jul 2016 19:43:10 +0200, Oliver Grawert wrote:
>> Am Dienstag, 26. Juli 2016 19:35:01 CEST schrieb Peng Liu:
>>> Is there any tool we can use to sign a snap package?  
>> i think we call that tool the store ;)
> Assumed upstream builds snaps, providing them as downloads by an
> upstream website, for Linux users of all distros, does it mean, that it
> is required to provide a snap package, a SHA256SUMS and SHA256SUMS.gpg
> or to use the Ubuntu store?

Yes, both work.

If you are publishing snaps on your website then it would be recommended
to provide a GPG-signed list of digests as you suggest. Simplistically:

 * on an https web page
 * have directory listing your snaps and a sha256sums.txt
 * which is a list of the snaps, digests, and is gpg clear-text signed

If you push your snap to the Ubuntu store, then the store will publish
signatures which snapd will use to validate the snap on install and on
refresh.

In future, you'll be able to GPG sign the snap before you push it to the
store, so snapd actually checks that YOU built it, not just that the
store claims you uploaded it.

Different store implementations (the snap format is independent of the
store) will take different approaches, I've just outlined how we're
doing it in Ubuntu with snapd, and how you can publish raw signed snaps
on your site.

Hope that helps!

Mark





More information about the Snapcraft mailing list