Verifying a snap package's authenticity

snaps are gpg signed squashfs filesystem images … the moment you are uploading your snap it gets signed by the central store key (of which the public part is hard-compiled into snapd) … if you would not just snap install <yoursnap> but instead download the snap using the snap download ... command, you get the .snap file as well as the .assert file that holds the gpg signature …

if your customers install your snap not coming directly from the store simply make sure they use the .assert file (with the snap ack ... command) and tell them to never use the --dangerous option (which disables the gpg checks) … that way you should be able to provide 100% integrity …