|Summary||Snaps can be downloaded, stored, and installed offline. Here we cover the details, as well as how assertions ensure a downloaded snap is authentic.|
|Author||Didier Roche firstname.lastname@example.org|
There’s a lot more to snap packaging than the simple installation and removal of snaps; you can grant or revoke an application’s access to system resources, reconfigure internal parameters, make a local copy of s snap and check a snap’s provenance.
This is one of several tutorials that cover more advanced snap usage and covers how to download a snap, download and read its associated assertion, and install the snap locally.
Other advanced tutorials include:
- Monitor snap changes: see the internal state of changes within snapd
We recommend you familiarise yourself with basic snap usage before reading this tutorial. See Getting started for further details.
- to download a snap from the Snap Store
- how developers can force an insecure installation of a local snap
- how to view and apply an assertion
- how to securely install a local snap offline
What you’ll need
- GNU/Linux with snap installed (see Installing snapd)
- some basic command line knowledge
How will you use this tutorial?
- Only read through it
- Read it and complete the exercises
What is your current level of experience?
Download a snap
A snap can be downloaded so that it can be locally archived or installed on a machine without network access:
$ snap download nethack Fetching snap "nethack" Fetching assertions for "nethack" Install the snap with: snap ack nethack_79.assert snap install nethack_79.snap $ ls nethack* nethack_79.assert nethack_79.snap
As you can see in the above output, a download consists of two parts: the snap itself and its associated assertion. The number in both filenames denotes the revision.
Install a local snap
Trying to install a locally downloaded snap will produce a warning message:
$ snap install nethack_79.snap error: cannot find signatures with metadata for snap "nethack_79.snap"
The warning is issued because the integrity of the snap can’t be verified without its signature, and this is part of the missing assertion. You won’t get this warning if you previously installed the same revision of the snap, as the signature will already be known.
Install without verifying
We don’t recommend forcing an installation without a correctly signed assertion. It’s the equivalent to accepting an invalid HTTPS connection, and could put your entire system’s integrity at risk. However, for developers perhaps working within a contained environment, it is possible with the
$ snap install nethack_79.snap --dangerous nethack 3.6.2 installed
Install with an assertion
Mimicking traditional install from the store, we can manually import the downloaded assertion and then safely install the snap. Assuming nethack isn’t already installed, this is a 2 step process:
$ snap ack nethack_79.assert $ snap install nethack_79.snap nethack 3.6.2 from 'ogra' installed
Even if we remove and reinstall the nethack snap later on, the signature is cached and checked automatically each time.
Inside an assertion
If you open the .assert file, you will see multiple types and gpg signatures into it:
cat nethack_79.assert type: account-key authority-id: canonical revision: 2 public-key-sha3-384: BWDEoaqyr25nF5SNCvEv2v7QnM9QsfCc0PBMYD_i2NGSQ32EF2d4D0hqUel3m8ul account-id: canonical name: store since: 2016-04-01T00:00:00.0Z body-length: 717 sign-key-sha3-384: -CvQKAwRQ5h3Ffn10FILJoEZUXOv6km9FwA80-Rcj-f-6jadQ89VRswHNiEB9Lxk [...] type: account authority-id: canonical revision: 94 account-id: QfOqF7d2M1Pk2O0SbEKqTdB9Ry2aI0BP display-name: Oliver Grawert timestamp: 2016-09-19T09:07:05.497416Z username: ogra validation: unproven sign-key-sha3-384: BWDEoaqyr25nF5SNCvEv2v7QnM9QsfCc0PBMYD_i2NGSQ32EF2d4D0hqUel3m8ul [...] type: snap-declaration authority-id: canonical revision: 4 series: 16 snap-id: i2ba1vb7DvsIzb8R987xvPGMQWNHiARe publisher-id: QfOqF7d2M1Pk2O0SbEKqTdB9Ry2aI0BP snap-name: nethack timestamp: 2016-09-05T18:41:50.410382Z sign-key-sha3-384: BWDEoaqyr25nF5SNCvEv2v7QnM9QsfCc0PBMYD_i2NGSQ32EF2d4D0hqUel3m8ul [...] type: snap-revision authority-id: canonical snap-sha3-384: uqJ4ch__0ikIkgqLbq15E2AFtEMpJ4KOcj4h5bJwjVfrIB87ebJDmNfq8x_TxZfC developer-id: QfOqF7d2M1Pk2O0SbEKqTdB9Ry2aI0BP snap-id: i2ba1vb7DvsIzb8R987xvPGMQWNHiARe snap-revision: 79 snap-size: 13201408 timestamp: 2019-08-24T10:16:24.232541Z sign-key-sha3-384: BWDEoaqyr25nF5SNCvEv2v7QnM9QsfCc0PBMYD_i2NGSQ32EF2d4D0hqUel3m8ul [...]
We are not going to go into too much details, but you can see that there are different types of assertions (account-key, account, snap-declaration, snap-revision), each one with some metadata and signature.
We can see that the snap-declaration corresponds to the snap-name “nethack” and has as well a snap-revision assertion type for snap revision “79”.
View cached assertions
You can find previously stored assertions on the system vie the
snap known command with a filter to limit the results to the types of assertions and keys you want to retrieve:
$ snap known snap-declaration snap-name=nethack type: snap-declaration authority-id: canonical revision: 4 series: 16 snap-id: i2ba1vb7DvsIzb8R987xvPGMQWNHiARe publisher-id: QfOqF7d2M1Pk2O0SbEKqTdB9Ry2aI0BP snap-name: nethack timestamp: 2016-09-05T18:41:50.410382Z sign-key-sha3-384: BWDEoaqyr25nF5SNCvEv2v7QnM9QsfCc0PBMYD_i2NGSQ32EF2d4D0hqUel3m8ul [...]
It sounds natural that download and validation are the first steps performed by snapd when we are installing a snap. But that’s clearly not the end of the story. The permission model and interfaces are a core concept of snaps, and this is a good next step when finding out more about snap.
To find out more:
- Snap confinement explains how snaps are isolated from one another
- while Interface management describes how they share data
- alternatively, try a practical approach by building your own snap with Snapcraft
Finally, you can find our friendly and welcoming community at https://forum.snapcraft.io.