There’s a lot more to snap packaging than the simple installation and removal of snaps. This is one of several tutorials that cover more advanced snap usage and details how to download a snap, read its associated assertions, and install the snap locally.
Requirements
This tutorial is suitable for anyone running Ubuntu (or any other system that supports snaps).
You should also be familiar with the concepts covered in the Quickstart guide, and also with basic terminal and command line functions.
Login for convenience
By first logging in to your online snap account you remove the need to use sudo
with privileged snap commands like install, refresh, remove and revert.
If you haven’t already, create a snap account at https://login.ubuntu.com/ and login with the snap login
command:
$ snap login
Personal information is handled as per our privacy notice at
https://www.ubuntu.com/legal/dataprivacy/snap-store
E-mail address: <your-email-address>
Password of <user>: <your-password>
Two-factor code: <your-two-factor-code>
Login successful
You will only be asked for a two-factor code if you have it enabled on your account.
Another advantage of being logged in is that you get access to your private snaps. Private snaps allow developers to share snaps with a small group of people, which is useful for beta-testing, for instance.
You can use snap logout
to log the current user out.
Download a snap
Downloading a snap enables it to be locally archived or installed on a machine without network access.
A snap is downloaded with the snap download <snap-name>
command:
$ snap download nethack
Fetching snap "nethack"
Fetching assertions for "nethack"
Install the snap with:
snap ack nethack_87.assert
snap install nethack_87.snap
Two files are downloaded together. In the above example, these have been downloaded as c and nethack_87.snap
.
The first file contains all the assertions necessary to authenticate and verify a snap’s validity.
The second file contains the snap package itself. A snap is a SquashFS file carrying content alongside metadata to tell the system how it should be manipulated (see Snap Format for more details).
Install a local snap
Attempting to install a locally downloaded snap will initially produce a warning message:
$ snap install nethack_87.snap
error: cannot find signatures with metadata for snap "nethack_87.snap"
The warning is issued because the integrity of the snap can’t be verified without its signature, and this is part of the missing assertion. It’s also why you won’t get this warning if you previously installed the same revision of the snap, as the signature will already be known.
Install without verification
We don’t recommend forcing an installation without a correctly signed assertion. It’s the equivalent to accepting an invalid HTTPS connection, and could put your entire system’s integrity at risk.
However, for developers perhaps working within a contained environment, installation is possible with the --dangerous
option:
snap install nethack_87.snap --dangerous
Install with verification
When a snap is installed from the Snap Store, its assertions are checked automatically. When a snap is downloaded, we need to do this manually.
To do this, we must first import the assertions we downloaded alongside the snap. This is accomplished with the snap ack <assertion-filename>
command:
snap ack nethack_87.assert
The snap ack
command checks the snap by verifying its signature against a known public key held in a local snapd database. Even if a snap is removed and reinstalled, including with the --purge
option, the signature is cached and checked automatically each time.
Inside the assertion file
The assertion file contains several different assertions, all signed with a GPG key.
type: account-key
authority-id: canonical
revision: 2
public-key-sha3-384: BWDEoaqyr25nF5SNCvEv2v7QnM9QsfCc0PBMYD_i2NGSQ32EF2d4D0hqUel3m8ul
account-id: canonical
name: store
since: 2016-04-01T00:00:00.0Z
body-length: 717
sign-key-sha3-384: -CvQKAwRQ5h3Ffn10FILJoEZUXOv6km9FwA80-Rcj-f-6jadQ89VRswHNiEB9Lxk
[...]
type: account
authority-id: canonical
revision: 94
account-id: QfOqF7d2M1Pk2O0SbEKqTdB9Ry2aI0BP
display-name: Oliver Grawert
timestamp: 2016-09-19T09:07:05.497416Z
username: ogra
validation: unproven
sign-key-sha3-384: BWDEoaqyr25nF5SNCvEv2v7QnM9QsfCc0PBMYD_i2NGSQ32EF2d4D0hqUel3m8ul
[...]
type: snap-declaration
authority-id: canonical
revision: 4
series: 16
snap-id: i2ba1vb7DvsIzb8R987xvPGMQWNHiARe
publisher-id: QfOqF7d2M1Pk2O0SbEKqTdB9Ry2aI0BP
snap-name: nethack
timestamp: 2016-09-05T18:41:50.410382Z
sign-key-sha3-384: BWDEoaqyr25nF5SNCvEv2v7QnM9QsfCc0PBMYD_i2NGSQ32EF2d4D0hqUel3m8ul
[...]
type: snap-revision
authority-id: canonical
snap-sha3-384: uqJ4ch__0ikIkgqLbq15E2AFtEMpJ4KOcj4h5bJwjVfrIB87ebJDmNfq8x_TxZfC
developer-id: QfOqF7d2M1Pk2O0SbEKqTdB9Ry2aI0BP
snap-id: i2ba1vb7DvsIzb8R987xvPGMQWNHiARe
snap-revision: 87
snap-size: 13201408
timestamp: 2019-08-24T10:16:24.232541Z
sign-key-sha3-384: BWDEoaqyr25nF5SNCvEv2v7QnM9QsfCc0PBMYD_i2NGSQ32EF2d4D0hqUel3m8ul
[...]
We are not going to go into too much detail, but you can see that there are different types of assertions (account-key, account, snap-declaration, snap-revision), each one with some metadata and signature. See Assertions for more information on what each assertion is responsible for.
We can see that the snap-declaration corresponds to the snap-name “nethack” and has as well a snap-revision assertion type for snap revision “87”.
View cached assertions
Previously stored assertions can be viewed with the snap known
command.
You can find previously stored assertions on the system with the snap known
command combined with a filter to limit the results to the types of assertions and keys you want to retrieve:
$ snap known snap-declaration snap-name=nethack
type: snap-declaration
authority-id: canonical
revision: 4
series: 16
snap-id: i2ba1vb7DvsIzb8R987xvPGMQWNHiARe
publisher-id: QfOqF7d2M1Pk2O0SbEKqTdB9Ry2aI0BP
snap-name: nethack
timestamp: 2016-09-05T18:41:50.410382Z
sign-key-sha3-384: BWDEoaqyr25nF5SNCvEv2v7QnM9QsfCc0PBMYD_i2NGSQ32EF2d4D0hqUel3m8ul
[...]
It sounds natural that download and validation are the first steps performed by snapd when we are installing a snap. But that’s clearly not the end of the story. The permission model and interfaces are a core concept of snaps, and this is a good next step when finding out more about snap.
To find out more:
- Snap confinement explains how snaps are isolated from one another
- while Interface management describes how they share data
- alternatively, try a practical approach by building your own snap with Snapcraft
Finally, you can find our friendly and welcoming community at https://forum.snapcraft.io.