Verifying a snap package's authenticity

I’m interested in distributing an application, and I want my customers to be able to verify that my team is the author of the package (and that it hasn’t been tampered with since we published it).

My current understanding is that upon uploading a snap, the store itself signs that package. And when a customer goes to install that package, the store’s signature is verified.

I read through this thread (isv-questions-about-signing-a-snap/2546), but it’s not exactly what I’m talking about. I’m not interested in further securing my interaction with the snap store. I’m interested in providing some signature or checksum that is ideally verified by snapd itself during its install process.

In that thread I came across assertions, specifically the snap-build assertion and it does seem to describe what I want.

But if I’m understanding the docs correctly, it’s not checked by my customers computer:

Currently, the only usage of this assertion is to provide traceability between publisher and snap. It is not checked by snapd or other parts of the system.

Is there a way to get snap to manually verify a snap against such a build assertion? Or is there an easier way to do what I’m talking about?

More specifically, I want to (cryptographically) protect my users against a rogue snap maintainer that has the ability to tamper with snap packages.

This is reasonably common in most distribution channels:

  • pacman
  • play store
  • brew has a mechanism to specify a the sha of binaries downloaded by the formula
  • other package managers allow me to build my application from source (and my users just have to eyeball the script to verify its sanity)

I can provide more instances of this, but if I’m understanding the system correctly snap is the first system where I just have to trust that no administrator is gonna go in my app and install a backdoor.

I’d love to be incorrect and simply overlooking some magic that snapcraft is doing by default, but if this is the case isn’t there a key I need to backup securely if I want to keep publishing my app?

snaps are gpg signed squashfs filesystem images … the moment you are uploading your snap it gets signed by the central store key (of which the public part is hard-compiled into snapd) … if you would not just snap install <yoursnap> but instead download the snap using the snap download ... command, you get the .snap file as well as the .assert file that holds the gpg signature …

if your customers install your snap not coming directly from the store simply make sure they use the .assert file (with the snap ack ... command) and tell them to never use the --dangerous option (which disables the gpg checks) … that way you should be able to provide 100% integrity …