How to determine if a snap is trusted by the store?

Conan_Kudo · April 3, 2017, 1:53pm

So, Richard Hughes is working on fixing up the snap backend in GNOME Software, and he’s trying to figure out how to map all the things from the non-AppStream world of snapd to the AppStream centric model that GNOME Software presents.

One particular issue is identifying where a snap came from (from the store, if so, where in the store, or was it sideloaded).

An example blob he handed me looked like this (presumably from snapd-glib from snapd from the store):

{
  "channel" : "stable",
  "confinement" : "strict",
  "contact" : "http://www.libreoffice.org/get-help/community-support/",
  "description" : "LibreOffice is a powerful office suite – its clean interface and feature-rich tools help you unleash your creativity and enhance your productivity. LibreOffice includes several applications that make it the most powerful Free and Open Source office suite on the market: Writer (word processing), Calc (spreadsheets), Impress (presentations), Draw (vector graphics and flowcharts), Base (databases), and Math (formula editing).",
  "developer" : "canonical",
  "download-size" : 375025664,
  "icon" : "https://myapps.developer.ubuntu.com/site_media/appmedia/2016/06/LibreOffice-Initial-Artwork-Logo.png",
  "id" : "CpUkI0qPIIBVRsjy49adNq4D6Ra72y4v",
  "name" : "libreoffice",
  "private" : false,
  "resource" : "/v2/snaps/libreoffice",
  "revision" : "18",
  "screenshots" : [
    {
      "url" : "https://myapps.developer.ubuntu.com/site_media/appmedia/2016/06/lo51-base-02.png"
    },
    {
      "url" : "https://myapps.developer.ubuntu.com/site_media/appmedia/2016/06/lo51-calc-01.png"
    },
    {
      "url" : "https://myapps.developer.ubuntu.com/site_media/appmedia/2016/06/lo51-draw-01.png"
    },
    {
      "url" : "https://myapps.developer.ubuntu.com/site_media/appmedia/2016/06/lo51-impress-01.png"
    },
    {
      "url" : "https://myapps.developer.ubuntu.com/site_media/appmedia/2016/06/lo51-math-01.png"
    },
    {
      "url" : "https://myapps.developer.ubuntu.com/site_media/appmedia/2016/06/lo51-writer-01.png"
    }
  ],
  "status" : "available",
  "summary" : "LibreOffice is a powerful office suite including word processing and creation of spreadsheets, slideshows and databases",
  "type" : "app",
  "version" : "5.3.1.2"
}

How do we do this right?

niemeyer · April 3, 2017, 2:31pm

Whether a snap is installed locally or from a store doesn’t make a great difference these days, since we can have assertions (locally or otherwise) that back facts about the given snap being dealt with. So the real delta there is whether the snap is properly signed or has no assertions backing it.

The best way to tell that is via the “revision” field, since the unique low numbered revisions need some sort of coordination for sanity. Looking at the example above, I can tell this system has a proper snap-revision in place assigning the given revision to that blob. Everybody with revision 18 has the same blob installed.

When the snap has no signatures backing it, though, it’ll be revisioned as “x1”, “x2”, and so on, and that means those are local revisions created by the snapd in increasing order of installation. If you remove and reinstall, it starts over.

Out of curisity, that’s why revisions are provided via the API as strings.

morphis · April 3, 2017, 2:53pm

I am talking with the gnome-software guys currently on IRC. What they need is

hughsie: morphis, in gnome-software we need a hostname of where the app has been downloaded from
hughsie: so we know if it can be trusted and so it looks visually different to apps provided by your distro

I think this should be covered by the fact that the backend in gnome-software know it looks at snaps and the revision field and its semantics @niemeyer outlined above. Will report back once I know more.

niemeyer · April 3, 2017, 2:56pm

Yes, the hostname requirement looks like a means to an end. What’s needed is defining whether the snap comes from a known trustworthy source or not, and that’s what assertion signatures and the revision mechanics outlined above provide.

With snapd, snaps can come from any host or even the local disk, and still be trustworthy because they have proper signatures backing them.

morphis · April 3, 2017, 3:00pm

@niemeyer I will look into this with one of the guys from Gnome Software team tomorrow when he has more time for this but he already indicated that we can do something “clever” about handling snaps in the code so that we can abstract this properly and in a good way to not break the concept.