Snapcraft authentication options

Mentioning it here in case it helps anyone else - when using Snapcraft 7 or later, it seems the SNAPCRAFT_STORE_CREDENTIALS env var and the snapcraft login command are mutually exclusive forms of authentication. In other words, if you’ve exported your credentials via snapcraft export-login and have set the env var with those contents, then you do not need to run snapcraft login (in fact you shouldn’t, because you’ll get the

Cannot login with 'SNAPCRAFT_STORE_CREDENTIALS' set.
Recommended resolution: Unset 'SNAPCRAFT_STORE_CREDENTIALS' and try again.

error if you try to).

In my case, I was adapting a previous login flow that used to work for Snapcraft 6, where the credentials were exported to a file and then passed to the snapcraft login command via the --with flag. For Snapcraft 7, at first I was under the impression that I needed to change that to export SNAPCRAFT_STORE_CREDENTIALS=$(cat <credentials-filename>) and then run snapcraft login without the --with flag. But that was wrong and led to the error above; in fact I needed to set the env var and get rid of the snapcraft login command altogether.

The docs here do technically say that (“There are currently two ways to use previously exported snapcraft credentials, either via an environment variable or by using snapcraft login --with.”); however, further down is phrased a bit ambiguously: “In addition to the above, the snapcraft login command accepts an additional --with argument to reference a login credentials file” - this makes it sound like snapcraft login accepts --with in addition to the env var, which is not the case.

It might be worth explicitly clarifying on this page that the env var and snapcraft login are two separate forms of authentication and only one should be used at a time (and perhaps the error message could call this out as well).

Thanks so much for letting us know, and for such a detailed report. I’ll give this a go and update the documentation to make it clearer.

Is this out of date now? git-ubuntu CI broke recently with authentication issues. When I re-issue the credentials, --with no longer works. It’s not clear to me if this is because --with is no longer supported (as opposed to deprecated), or my saved CI credentials were forced expired and renewing them requires the new mechanism. Anyway, for me, the following therefore seems out date:

There are currently two ways to use previously exported snapcraft credentials, either via an environment variable or by using snapcraft login --with.

and

Warning: The login --with argument is not supported in Snapcraft 7 and is currently included to help users migrate from the old authentication method to the new.

Hi there, if you want to keep using --with you need to generate your credentials with Snapcraft 6.

Thanks for the update (and @rbasak). I’ve updated the doc to hopefully make it clear.

@alexclewontin did you find a solution in the end? I am facing the exact same issue.

Can we add an alternative to the headless section to pass the password to gnome-keyring from sdtin?

root@immune-dolphin:~# cat pass.txt | gnome-keyring-daemon --unlock

Worked on a customer case recently where they weren’t able to provide the password on the commandline. Also, can we suggest running a proper bash shell in the dbus session, or was sh chosen for a specific reason?

Starting snapcraft 7.5.4 the absence of a working keyring will fallback to a file based backend to store the credentials.