I’m interested in distributing an application, and I want my customers to be able to verify that my team is the author of the package (and that it hasn’t been tampered with since we published it).
My current understanding is that upon uploading a snap, the store itself signs that package. And when a customer goes to install that package, the store’s signature is verified.
I read through this thread (isv-questions-about-signing-a-snap/2546), but it’s not exactly what I’m talking about. I’m not interested in further securing my interaction with the snap store. I’m interested in providing some signature or checksum that is ideally verified by snapd itself during its install process.
In that thread I came across assertions, specifically the snap-build assertion and it does seem to describe what I want.
But if I’m understanding the docs correctly, it’s not checked by my customers computer:
Currently, the only usage of this assertion is to provide traceability between publisher and snap. It is not checked by snapd or other parts of the system.
Is there a way to get snap to manually verify a snap against such a build assertion? Or is there an easier way to do what I’m talking about?
More specifically, I want to (cryptographically) protect my users against a rogue snap maintainer that has the ability to tamper with snap packages.
This is reasonably common in most distribution channels:
- pacman
- play store
brewhas a mechanism to specify a the sha of binaries downloaded by the formula- other package managers allow me to build my application from source (and my users just have to eyeball the script to verify its sanity)
I can provide more instances of this, but if I’m understanding the system correctly snap is the first system where I just have to trust that no administrator is gonna go in my app and install a backdoor.
I’d love to be incorrect and simply overlooking some magic that snapcraft is doing by default, but if this is the case isn’t there a key I need to backup securely if I want to keep publishing my app?