Install .snap files offline

milad0123 2017-04-17 02:26:46 UTC #1

hi.
is it possible to download .snap files from uappexplorer.com and install it offline in ubuntu like .deb files?
how?

Behaviour for installing classic, devmode and unsigned snaps in a GUI

kyrofa 2017-04-17 04:07:59 UTC #2

This topic might be helpful.

milad0123 2017-04-17 04:58:30 UTC #3

sudo snap install xxxx.snap
error: cannot find signatures with metadata for snap xxxx.snap
any help?

kyrofa 2017-04-17 05:00:26 UTC #4

Did you snap ack the assertion you downloaded?

milad0123 2017-04-17 06:11:49 UTC #5

snap ack??
sorry.what is this?
i downloaded darktable.snap from uappexplorer.com and i want install it on ubuntu machine without internet.

kyrofa 2017-04-17 06:13:49 UTC #6

Please read the topic to which I linked. This reply in particular.

If you don’t care about the assertion, you can run snap install --dangerous <the darktable snap you downloaded>, but then you won’t receive updates.

pedronis 2017-04-18 08:44:24 UTC #7

we should really not recommend --dangerous casually, snap download itself doesn’t check assertions btw atm

Alculete 2017-04-18 10:48:00 UTC #8

we should really not recommend --dangerous casually, snap download itself doesn’t check assertions btw atm

Isn’t possible for the assertion to be available even if you downloaded from uAppExplorer? I’ve asked a question with the same problem here. I know it’s possible to do this through CLI but would be great to have a different GUI approach

ogra 2017-04-18 10:52:01 UTC #9

the gui approach is to use the software center, snaps are fully integrated there.

Alculete 2017-04-18 12:14:19 UTC #10

> the gui approach is to use the software center, snaps are fully integrated there.

OK what if I downloaded an app at work, for example, and want to install it at home? .snap files are big since all dependencies are included and since not everyone that uses linux has unlimited data plan this would be an issue. I’m not saying that this should be taken as a bug but at least has a feature to be added. I wouldn’t like to compare to windows since we all are linux users but you can see there that the apps are updatable just by having it downloaded from any site.

ogra 2017-04-18 13:01:52 UTC #11

well, that would be a feature that the software center should grow then unverified apps will never be updateable for a good reason though (breaks all security).
which doesnt mean that a GUI tool integrated into SW-center couldnt have a “this app is insecurely installed, update it anyway at your own risk” checkbox (which in the backend would try to run “snap ack” ) though.

kyrofa 2017-04-18 14:49:19 UTC #12

The snap in question wasn’t downloaded via snap download, it was downloaded from uAppExplorer. snap download was suggested as an alternative precisely because it provides the assertion to be snap ackd. However, if the user didn’t want to use snap download and didn’t care about the assertion, --dangerous was suggested with the caveat that it will result in no upgrades. It was not flippant.

ogra 2017-04-18 14:53:53 UTC #13

well, given that uappexplorer is also just a store frontend (not something that downlolads snaps from random websites or so) it could as well offer an assertion download link alongside … like it probably should use an app:// url to actually spawn the sw-center when you click …

snapd itself as well as SW-center already have the right bits in place, uappexplorer would just have to make use of them.

pedronis 2017-04-18 16:39:54 UTC #14

There is assert-fetcher (a snap by me) that offers a command that does the fetching of assertions into an .assert file given a .snap file (if possible).

I think we might want to add that as a command to “snap” or a variant of “snap known”, or have an easy endpoint just for that in the store, at some point.

pedronis 2017-04-18 16:43:13 UTC #15

my issue is that a file taken from a 3rd party website seems a bit of strange context to wonder about the user not caring about assertions, it seems indeed more a case where they would be good for security. in general users should try to have them unless it’s their own snap and they don’t want updates for some reasons. the assertions provided by the store carry both an integrity hash and also mean the store run the reviewers automatic checks on the snap etc…

niemeyer 2017-04-18 18:03:03 UTC #16

As @pedronis points out, the lack of updates here is the least of the problems. There’s a good reason why it’s called –dangerous and not –no-updates. People downloading snaps from web sites online and using –dangerous aren’t much better off than curl | bash -

milad0123 2017-04-18 22:56:59 UTC #17

maybe its not solved.

stub 2017-04-19 04:11:33 UTC #18

This ties into https://github.com/stub42/layer-snap/issues/9

I’m getting requests for more offline installation support. In particular, the core snap. This is a terrible idea. If you need to do deployments in network restricted environments, it is almost always for security reasons. If this forces you to install critical snaps like ‘core’ without automatic updates, you are actually making security worse.

So I’m wondering if I should not support offline deployments, at a minimum requiring a web proxy with access to the snap store. On one hand, I feel that if operators feel they understand and can handle the security issues I should not stop them. On the other hand, it certainly means production deployments with security updates silently disabled and I really don’t want to deal with fallout from them.

Alculete 2017-04-19 08:07:03 UTC #19

I totally agree, it would be much easier to download for offline install and just delta update for latest version

Ads20000 2017-04-19 12:32:21 UTC #20

@ogra could you briefly explain to UAppExplorer what you mean? https://github.com/bhdouglass/uappexplorer/issues/88