Snap download and assertions

1. Introduction

There’s a lot more to snap packaging than the simple installation and removal of snaps; you can grant or revoke an application’s access to system resources, reconfigure internal parameters, make a local copy of s snap and check a snap’s provenance.

This is one of several tutorials that cover more advanced snap usage and covers how to download a snap, download and read its associated assertion, and install the snap locally.

Other advanced tutorials include:

:information_source: We recommend you familiarise yourself with basic snap usage before reading this tutorial. See Getting started for further details.

You’ll learn:

  • to download a snap from the Snap Store
  • how developers can force an insecure installation of a local snap
  • how to view and apply an assertion
  • how to securely install a local snap offline

What you’ll need

  • GNU/Linux with snap installed (see Installing snapd)
  • some basic command line knowledge

How will you use this tutorial?

What is your current level of experience?


2. Download a snap

A snap can be downloaded so that it can be locally archived or installed on a machine without network access:

$ snap download nethack
Fetching snap "nethack"
Fetching assertions for "nethack"
Install the snap with:
   snap ack nethack_79.assert
   snap install nethack_79.snap
$ ls nethack*
nethack_79.assert  nethack_79.snap

As you can see in the above output, a download consists of two parts: the snap itself and its associated assertion. The number in both filenames denotes the revision.


3. Install a local snap

Trying to install a locally downloaded snap will produce a warning message:

$ snap install nethack_79.snap
error: cannot find signatures with metadata for snap "nethack_79.snap"

The warning is issued because the integrity of the snap can’t be verified without its signature, and this is part of the missing assertion. You won’t get this warning if you previously installed the same revision of the snap, as the signature will already be known.

Install without verifying

We don’t recommend forcing an installation without a correctly signed assertion. It’s the equivalent to accepting an invalid HTTPS connection, and could put your entire system’s integrity at risk. However, for developers perhaps working within a contained environment, it is possible with the --dangerous option:

$ snap install nethack_79.snap --dangerous
nethack 3.6.2 installed

Install with an assertion

Mimicking traditional install from the store, we can manually import the downloaded assertion and then safely install the snap. Assuming nethack isn’t already installed, this is a 2 step process:

$ snap ack nethack_79.assert
$ snap install nethack_79.snap
nethack 3.6.2 from 'ogra' installed

Even if we remove and reinstall the nethack snap later on, the signature is cached and checked automatically each time.


4. Inside an assertion

If you open the .assert file, you will see multiple types and gpg signatures into it:

cat nethack_79.assert
type: account-key
authority-id: canonical
revision: 2
public-key-sha3-384: BWDEoaqyr25nF5SNCvEv2v7QnM9QsfCc0PBMYD_i2NGSQ32EF2d4D0hqUel3m8ul
account-id: canonical
name: store
since: 2016-04-01T00:00:00.0Z
body-length: 717
sign-key-sha3-384: -CvQKAwRQ5h3Ffn10FILJoEZUXOv6km9FwA80-Rcj-f-6jadQ89VRswHNiEB9Lxk
[...]

type: account
authority-id: canonical
revision: 94
account-id: QfOqF7d2M1Pk2O0SbEKqTdB9Ry2aI0BP
display-name: Oliver Grawert
timestamp: 2016-09-19T09:07:05.497416Z
username: ogra
validation: unproven
sign-key-sha3-384: BWDEoaqyr25nF5SNCvEv2v7QnM9QsfCc0PBMYD_i2NGSQ32EF2d4D0hqUel3m8ul
[...]

type: snap-declaration
authority-id: canonical
revision: 4
series: 16
snap-id: i2ba1vb7DvsIzb8R987xvPGMQWNHiARe
publisher-id: QfOqF7d2M1Pk2O0SbEKqTdB9Ry2aI0BP
snap-name: nethack
timestamp: 2016-09-05T18:41:50.410382Z
sign-key-sha3-384: BWDEoaqyr25nF5SNCvEv2v7QnM9QsfCc0PBMYD_i2NGSQ32EF2d4D0hqUel3m8ul
[...]

type: snap-revision
authority-id: canonical
snap-sha3-384: uqJ4ch__0ikIkgqLbq15E2AFtEMpJ4KOcj4h5bJwjVfrIB87ebJDmNfq8x_TxZfC
developer-id: QfOqF7d2M1Pk2O0SbEKqTdB9Ry2aI0BP
snap-id: i2ba1vb7DvsIzb8R987xvPGMQWNHiARe
snap-revision: 79
snap-size: 13201408
timestamp: 2019-08-24T10:16:24.232541Z
sign-key-sha3-384: BWDEoaqyr25nF5SNCvEv2v7QnM9QsfCc0PBMYD_i2NGSQ32EF2d4D0hqUel3m8ul
[...]

We are not going to go into too much details, but you can see that there are different types of assertions (account-key, account, snap-declaration, snap-revision), each one with some metadata and signature.

We can see that the snap-declaration corresponds to the snap-name “nethack” and has as well a snap-revision assertion type for snap revision “79”.


5. View cached assertions

You can find previously stored assertions on the system vie the snap known command with a filter to limit the results to the types of assertions and keys you want to retrieve:

$ snap known snap-declaration snap-name=nethack
type: snap-declaration
authority-id: canonical
revision: 4
series: 16
snap-id: i2ba1vb7DvsIzb8R987xvPGMQWNHiARe
publisher-id: QfOqF7d2M1Pk2O0SbEKqTdB9Ry2aI0BP
snap-name: nethack
timestamp: 2016-09-05T18:41:50.410382Z
sign-key-sha3-384: BWDEoaqyr25nF5SNCvEv2v7QnM9QsfCc0PBMYD_i2NGSQ32EF2d4D0hqUel3m8ul
[...]

6. Next steps

It sounds natural that download and validation are the first steps performed by snapd when we are installing a snap. But that’s clearly not the end of the story. The permission model and interfaces are a core concept of snaps, and this is a good next step when finding out more about snap.

To find out more:

Finally, you can find our friendly and welcoming community at https://forum.snapcraft.io.