How to sign a snap package?

Oliver Grawert ogra at ubuntu.com
Wed Jul 27 09:29:00 UTC 2016


hi,
Am Dienstag, den 26.07.2016, 22:47 +0200 schrieb Ralf Mardorf:
> On Tue, 26 Jul 2016 19:43:10 +0200, Oliver Grawert wrote:
> >Am Dienstag, 26. Juli 2016 19:35:01 CEST schrieb Peng Liu:
> >> Is there any tool we can use to sign a snap package?  
> >
> >i think we call that tool the store ;)
> 
> Assumed upstream builds snaps, providing them as downloads by an
> upstream website, for Linux users of all distros, does it mean, that it
> is required to provide a snap package, a SHA256SUMS and SHA256SUMS.gpg
> or to use the Ubuntu store?
> 

you need to use "a" store ... doesn't have to be the ubuntu store, i
know at the snappy sprint in heidelberg some representatives of the
other distros expressed interest to run their own store ... 

there is no strict requirement how the verification or signing is done
by any store, the design of snappy is flexible enough to allow anything
they/you want to implement ;)

we know how *our* store does it/will do it ... but that doesn't mean
anyone else *needs* to use that mechanism or follow us with the
implementation.

snappy is designed with the freedom of differentiation in mind, it is
all a matter of how much you want to invest, if the will is zero you can
always use our store, if you have the resources you can totally build
all your own infrastructure around the core...
 
the one thing you cant change is the core design though, to keep
compatibility among implementations intact and keep snaps installable
across all possible targets.

ciao
	oli
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20160727/5789d9a8/attachment.sig>


More information about the Snapcraft mailing list