How do assertions work?

G.S.1 · October 27, 2017, 2:07am

Hello,

I was doing some digging through Snap, and I found snap assertions. What are they for, and how do they work?

Example assertion:
http://api.snapcraft.io/api/v1/snaps/assertions/snap-revision/DiSPxqtPDkpRK1rKIwuFSdxeNb0x_ulb8zp-drU9W9r2U7mF0t8v6HlYSTfj4L7R

Are assertions mainly for security, and do they have an override switch or not?

morphis · October 27, 2017, 5:04am

Please have a look at the official documentation at https://docs.ubuntu.com/core/en/reference/assertions which explains already what assertions are, how they are structured, what types of assertions exists, etc.

G.S.1 · October 27, 2017, 3:50pm

Is it possible to manually generate an assertion for a snap? I can’t quite figure it out from the document.

Like, right after it finishes downloading a snap, it downloads an assertion. Where is that assertion generated?

ogra · October 27, 2017, 4:07pm

this specific one … in the store

there are others though, like the model assertion when building an Ubuntu Core image, or the system-user assertion for having a system user created on an Ubuntu Core image, that you (or the image manufacturer) create and sign yourself with your snapcraft key

G.S.1 · October 27, 2017, 4:11pm

Is it possible to manually generate an assertion like this, or not?

ogra · October 27, 2017, 4:13pm

i dont think it is, since you would need the store key for it to be valid … (ICBW though … some store person would have to chime in here)

morphis · October 27, 2017, 4:51pm

A snap-build or snap-revision assertion is signed by the authority which gives you access to the snap, so the store. For others like the system-user assertion it’s signed by the brand. Check the documentation for a few examples.

https://docs.ubuntu.com/core/en/guides/build-device/board-enablement describes how to generate a model assertion and https://docs.ubuntu.com/core/en/guides/manage-devices/index what you need to do to generate a system-user assertion. That will give you basic idea of how assertions are generated. The store does the same but with its own private key.

G.S.1 · October 27, 2017, 4:53pm

Okay.

I am looking at the old open-source snap store implementation, and have managed to get it to mostly work except Snaps won’t install, because they don’t have a valid assertion.

I’m trying to figure that out. How do I generate a valid assertion for that? Does Snap require a specific signing authority?

pedronis · October 28, 2017, 4:43pm

snap-build is to be signed by the snap developer but yes, snap-declaration and snap-revision are signed by the store

pedronis · October 28, 2017, 4:47pm

yes, currently that is the case, because of the reasonings around curation and single global namespace as extensively treated in External repositories