sudo snap install xxxx.snap
error: cannot find signatures with metadata for snap xxxx.snap
any help?
Did you snap ack the assertion you downloaded?
snap ack??
sorry.what is this?
i downloaded darktable.snap from uappexplorer.com and i want install it on ubuntu machine without internet.
Please read the topic to which I linked. This reply in particular.
If you don’t care about the assertion, you can run snap install --dangerous <the darktable snap you downloaded>, but then you won’t receive updates.
2 Likes
we should really not recommend --dangerous casually, snap download itself doesn’t check assertions btw atm
2 Likes
we should really not recommend --dangerous casually, snap download itself doesn’t check assertions btw atm
Isn’t possible for the assertion to be available even if you downloaded from uAppExplorer? I’ve asked a question with the same problem here. I know it’s possible to do this through CLI but would be great to have a different GUI approach
the gui approach is to use the software center, snaps are fully integrated there.
> the gui approach is to use the software center, snaps are fully integrated there.
OK what if I downloaded an app at work, for example, and want to install it at home? .snap files are big since all dependencies are included and since not everyone that uses linux has unlimited data plan this would be an issue. I’m not saying that this should be taken as a bug but at least has a feature to be added. I wouldn’t like to compare to windows since we all are linux users but you can see there that the apps are updatable just by having it downloaded from any site.
well, that would be a feature that the software center should grow then 
unverified apps will never be updateable for a good reason though (breaks all security).
which doesnt mean that a GUI tool integrated into SW-center couldnt have a “this app is insecurely installed, update it anyway at your own risk” checkbox (which in the backend would try to run “snap ack” ) though.
The snap in question wasn’t downloaded via snap download, it was downloaded from uAppExplorer. snap download was suggested as an alternative precisely because it provides the assertion to be snap ackd. However, if the user didn’t want to use snap download and didn’t care about the assertion, --dangerous was suggested with the caveat that it will result in no upgrades. It was not flippant.
well, given that uappexplorer is also just a store frontend (not something that downlolads snaps from random websites or so) it could as well offer an assertion download link alongside … like it probably should use an app:// url to actually spawn the sw-center when you click …
snapd itself as well as SW-center already have the right bits in place, uappexplorer would just have to make use of them.
There is assert-fetcher (a snap by me) that offers a command that does the fetching of assertions into an .assert file given a .snap file (if possible).
I think we might want to add that as a command to “snap” or a variant of “snap known”, or have an easy endpoint just for that in the store, at some point.
1 Like
my issue is that a file taken from a 3rd party website seems a bit of strange context to wonder about the user not caring about assertions, it seems indeed more a case where they would be good for security. in general users should try to have them unless it’s their own snap and they don’t want updates for some reasons. the assertions provided by the store carry both an integrity hash and also mean the store run the reviewers automatic checks on the snap etc…
As @pedronis points out, the lack of updates here is the least of the problems. There’s a good reason why it’s called –dangerous and not –no-updates. 
People downloading snaps from web sites online and using –dangerous aren’t much better off than curl | bash -
maybe its not solved.
This ties into https://github.com/stub42/layer-snap/issues/9
I’m getting requests for more offline installation support. In particular, the core snap. This is a terrible idea. If you need to do deployments in network restricted environments, it is almost always for security reasons. If this forces you to install critical snaps like ‘core’ without automatic updates, you are actually making security worse.
So I’m wondering if I should not support offline deployments, at a minimum requiring a web proxy with access to the snap store. On one hand, I feel that if operators feel they understand and can handle the security issues I should not stop them. On the other hand, it certainly means production deployments with security updates silently disabled and I really don’t want to deal with fallout from them.
2 Likes
I totally agree, it would be much easier to download for offline install and just delta update for latest version
1 Like
@ogra could you briefly explain to UAppExplorer what you mean? https://github.com/bhdouglass/uappexplorer/issues/88
1 Like
@ogra said that this (downloading .snaps and .asserts for install offline) should be handled by Ubuntu Software. I spoke to the Ubuntu Desktop team and they dismissed the idea (scroll to the bottom), I don’t think this is going to go anywhere sadly unless UAppExplorer on their own figure out how to do it.
1 Like
They may simply call snap download for that. It will download both the file and the assertions. They can also contact the store directly, though. Please ask them to open a more specific topic here in the forum and we can tell them exactly how to extract the necessary assertions from the store.