Hi!
I’ve been using and creating snaps for a few years now, but I never used the snap login
or snapcraft login
commands.
After searching the forum and the documentation and reading the help and man pages, I think they work the following way:
snap login
- authenticates with snapd and the store (for installing snaps from the store)
- stores credentials in
~/.snap/auth.json
- allows installing snaps without sudo; only if the user is also in some specific groups
- allows finding/installing/refreshing private snaps
- enables purchasing snaps
snapcraft login
- authenticates with the store (for publishing snaps in the store)
- allows registring snap names
- uploading and releasing snaps to the store
- and other snap building and releasing functions
These “logins” are independent of each other. The snap login
only allows to “consume” snaps that are already released in the store. To release or modify anything within the store, you have to use snapcraft
and snapcraft login
.
Over the years, I also have set up multiple Ubuntu Core 18 and 20 devices using the “prebuild” images provided by Canonical [1] in the following way:
- flash the image onto the device
- boot up the device
- enter my email address during setup to fetch and install my SSH key automatically
- SSH into the device
- install and configure the necessary snaps
- give the device to a third party
As this process never asks for my Ubuntu One password, I thought this only fetches the SSH keys and creates a local user named the same as my Ubuntu One username. The SSH key and the Ubuntu One username are both publicly available information on Launchpad.
However, I recently stumbled across a post within this forum (I think it was by Oliver Grawert) stating that setting up an Ubuntu Core device this way also logs you into the snap command as if you would manually call snap login
.
This appears to be true. I verified it on one of my Ubuntu Core devices by running snap whoami
and checking whether ~/.snap/auth.json
exists.
Now, this makes me wonder:
- How can I be authenticated with the snap store on these devices when I never entered any credentials? The only thing I can think of would be some authentication using the private SSH key on my workstation when I connected to the device over SSH the first time. But I do not see how this could work.
- As I have given these devices to others, should I be concerned that my account is compromised?
- Can the credentials within
~/.snap/auth.json
be used to authenticate withsnapcraft
?
I have to say I am surprised by the behavior on Ubuntu Core, as there is no further notice or warning at or after the email prompt.
[1] https://cdimage.ubuntu.com/ubuntu-core/18/stable/current/