Snapcraft authentication options

Snapcraft’s login credentials can be exported and subsequently used on a system where login is not possible or desired, such as on a system that’s offline. A system keychain can also be used when a system is running without a connected display, as outlined below:

Export snapcraft's login credentials

To export snapcraft’s login credentials, use the export-login command with the name of a file to store the credentials. On any system where Snapcraft is supported, run:

snapcraft export-login <credentials-filename>

You will be asked for your email, password and second-factor authentication.

The format of exported credentials differ between Snapcraft versions 6 and 7+. Snapcraft 6 exports a decrypted macaroon, which should not be shared, while later releases output a raw block of base64 encoded text that can only be used with Snapcraft 7.0 or greater.

Cannot parse config errors: If you encounter Cannot parse config errors while processing authentication credentials, old credentials are likely stored the snapcraft configuration file which needs to be moved or deleted ($HOME/.config/snapcraft/snapcraft.cfg).

Using exported snapcraft credentials

There are currently two ways to use previously exported snapcraft credentials, either via an environment variable or by using snapcraft login --with.

SNAPCRAFT_STORE_CREDENTIALS environment variable

On the system you wish to use previously exported credentials, the contents of the credentials file needs to be placed into an environment variable called SNAPCRAFT_STORE_CREDENTIALS. This can be accomplished in many ways, but the following is a good solution:

export SNAPCRAFT_STORE_CREDENTIALS=$(cat <credentials-filename>)

snapcaft login --with

In addition to the above, the snapcraft login command accepts an additional --with argument to reference a login credentials file.

snapcraft login --with <credentials-filename>

Warning: The login --with argument is not supported in Snapcraft 7 and is currently included to help users migrate from the old authentication method to the new.

Verifying accepted credentials

Use snapcraft whoami to verify login credentials are working:

$ snapcraft whoami
email: <account-email>
username: <account-name>
id: <account-id>
permissions: package_access, package_manage, package_metrics, 
package_push, package_register, package_release, package_update
channels: no restrictions
expires: 2023-06-15T14:49:49.000Z  

Using a keyring on a headless Linux system

A Linux desktop will typically include an integrated keyring utility to store and retrieve passwords. This process can also be made to work on a headless system with no display connected or accessible desktop.

First, make sure gnome-keyring is installed:

apt install gnome-keyring

Now start a dbus session:

dbus-run-session -- sh 

To unlock the keyring from the command-line, run the following. You will be asked to enter a passphrase, type ctrl+d when done:

gnome-keyring-daemon --unlock

Now you can login as usual:

snapcraft login

Last updated 4 months ago.