Hello, I am trying to sign my snap packagein a way where my customers are able to verify that I compiled and authored the package. It seems the way to do this is through a snap-build assertion.
The steps I believe should be taken to create this assertion include:
- Run
snapcraft
to generate the.snap
file - Run
snapcraft upload <.snap file>
to upload the snap file to snapcraft - Run
snapcraft create-key
to create a key - Run
snapcraft register-key
to register the key that was created. - Run
snapcraft sign-build <.snap file>
to sign the uploaded snap file and upload the assert.
Now, this is all fine, except after this, I don’t know how someone is supposed to verify the snap has been signed. When I run snap download lockbook
, there is no sign-build
file or any sign-build assertion in the .assert
file.
Is this sign-build assertion automatically checked when my package is installed or downloaded from the snapstore?
If it isn’t, how is someone expected to assert sign-build?