Local sign without publish to store

We have some snap packages which due to property rights, very tight restrictions are applied on them in terms of distribution, such that we are not allowed to upload into 3rd-party repositories, including Snap Store (even with a private snap package, because essentially Canonical is not a partner of the project but would have access to the package). On the other hand, as far as I searched on the Internet, there is no way to sign and verify a package without publishing it to the Snap Store, nor a local private Snap Store functionality. Then we are forced to use --devmode option which does not apply the expected snap sandboxing, degrading what we planned to achieve from producing the snap packages in the first place.

The question is that could we manually and locally do the signing, with or without an account, with or without an Internet connection, and then share this source of trust with our own hosted machines (for testing) and target customers (for distribution) so that no developer mode flag would be required and we could have the full features of snap packaging, isolation, and sandboxing all together? This means for this certain set of snaps, we prefer a distribution mechanism that short-circuits the Canonical Snap Store. I believe then for those snaps there would be no automatic refresh, which in our scenarios is acceptable until someday Canonical decides to open source the Store or provide means by which we could have fully private internal Store mechanisms.

Can’t you use --dangerous to install local packages? That does not circumvent the sandboxing.

2 Likes

there is

with the (currently in beta stage) airgap mode, that allows side loading of signed snaps into the local proxy store already …

for that mode there is also a WIP for “local signing of snaps”, but work on that has only just started and might still take a while until it is available to the general public.

1 Like

Thanks. I supposed that --dangerous is equivalent to --devmode. I ran jail-breaking tests and it fails with dangerous installation, meaning that sandbox is indeed effective.

This is good news. Count +1 for the request for this feature then. Is there any way that I could get notified of when the feature becomes available?