Snapcraft authentication options

Snapcraft’s login credentials can be exported and subsequently used on a system where login is not possible or desired, such as on a system that’s offline. A system keychain can also be used when a system is running without a connected display, as outlined below:

Export snapcraft's login credentials

To export snapcraft’s login credentials, use the export-login command with the name of a file to store the credentials. On any system where Snapcraft is supported, run:

snapcraft export-login <credentials-filename>

You will be asked for your email, password and second-factor authentication.

Using exported snapcraft credentials

On the system you wish to use previously exported credentials, the contents of the credentials file needs to be placed into an environment variable called SNAPCRAFT_STORE_CREDENTIALS. This can be accomplished in many ways, but the following is a good solution:

export SNAPCRAFT_STORE_CREDENTIALS=$(cat <credentials-filename>)

Use snapcraft whoami to verify the credentials work:

$ snapcraft whoami
email: <account-email>
username: <account-name>
id: <account-id>
permissions: package_access, package_manage, package_metrics, 
package_push, package_register, package_release, package_update
channels: no restrictions
expires: 2023-06-15T14:49:49.000Z  

Using a keyring on a headless Linux system

A Linux desktop will typically include an integrated keyring utility to store and retrieve passwords. This process can also be made to work on a headless system with no display connected or accessible desktop.

First, make sure gnome-keyring is installed:

apt install gnome-keyring

Now start a dbus session:

dbus-run-session -- sh 

To unlock the keyring from the command-line, run the following. You will be asked to enter a passphrase, type ctrl+d when done:

gnome-keyring-daemon --unlock

Now you can login as usual:

snapcraft login

Hi, I’m getting the following error:

craft-store error: Credentials could not be parsed. Expected base64 encoded credentials.

When echo "$SNAPCRAFT_STORE_CREDENTIALS", the output is the same as the file <credentials-filename>.

I’ve just tried this with snapcraft latest/stable 7.0.6 2022-06-16 (7710) and it works for me. I did snapcraft logout first, and then the ENV credentials just worked.

The contents of the credentials file/variable really is just a large block of base64 encoded text with no metadata.

$ printenv SNAPCRAFT_STORE_CREDENTIALS
eyJyIjogIk1EQXlPV3h2WTJGMGFXOXVJRzE1WVhCWm1sbGNpQ[...]

I did encounter a problem with snapcraft export-login , however, which now returns the following error after entering the password:

snapcraft output
Traceback (most recent call last):
  File "/snap/snapcraft/7710/bin/snapcraft", line 8, in <module>
    sys.exit(run())
  File "/snap/snapcraft/7710/lib/python3.8/site-packages/snapcraft/cli.py", line 181, in run
    dispatcher.run()
  File "/snap/snapcraft/7710/lib/python3.8/site-packages/craft_cli/dispatcher.py", line 406, in run
    return self._loaded_command.run(self._parsed_command_args)
  File "/snap/snapcraft/7710/lib/python3.8/site-packages/snapcraft/commands/account.py", line 217, in run
    credentials = store.StoreClientCLI(ephemeral=True).login(**kwargs)
  File "/snap/snapcraft/7710/lib/python3.8/site-packages/snapcraft/commands/store/client.py", line 187, in login
    credentials = self.store_client.login(
  File "/snap/snapcraft/7710/lib/python3.8/site-packages/snapcraft/commands/store/_legacy_account.py", line 149, in login
    raise NotImplementedError("Cannot login with legacy")
NotImplementedError: Cannot login with legacy

After reverting to snapcraft 7.0.5 export-login worked again.

1 Like

I can confirm that snapcraft export-login fails with NotImplementedError: Cannot login with legacy in snapcraft 7.0.6, and that reverting to 7.0.5 fixes the problem.

1 Like

I think I did export the login just before the install of the version 7.x was done… Because the login file was like:

[login.ubuntu.com]
macaroon = 
unbound_discharge = 
email =

I was able to export and whoami with the version 7.0.6 and 7.0.7.

Breaking so many existing workflows with no warning for people who publish snaps is unacceptable. At the very least I would expect existing workflows using $SNAPCRAFT_LOGIN with a reasonable expiry date (<1 year) to continue for working for a while. I’ve dropped support for snaps in my project for now. Hopefully snapcraft will be more developer-friendly in the future.

This is unfortunate, 7.0.6 should work with no changes

I see what is going on there; in order to preserve existing workflows, we added a check to see if the plain text credentials were on the file system and loaded another implementation for how credentials are managed, this takes precedence when exporting too; for now, snapcraft logout would clear those credentials and allow you to export (fix upcoming).

1 Like

With v7.0.7 available, reverting to v7.0.5 is no longer an option. I was able to work around this with snap refresh snapcraft --channel=6.x/stable

This should be fixed in 7.0.8 now on latest/candidate and 7.x/candidate

I will be posting small asciinema videos during the course of tomorrow (Friday) on all the login scenarios. Since 7.0.6 we addionally supported “login --with” but since then I saw folks use the “login --with” value with the new environment variable, so added a new code path to support that scenario as well.

1 Like