Verifying a snap's contents


#1

For the sake of trust, would it be possible to allow developers to somehow link to the snapcraft.yaml that they built their snap with in a way that snapcraft can verify that it’s the same snapcraft.yaml that was used to build the snap? Or are there reliable other ways that one can use to verify the snap’s contents? Should be easy if the snap is using the build service… I suppose looking into the snap is good enough, and perhaps checking the manifest (I personally don’t know how that feature works) but I wonder if this idea would improve things further still…


#2

Something like this was already proposed few days ago: Proposal: Allow exposing the public source repository that is used to build a particular snap in the store page


#3

If you set SNAPCRAFT_BUILD_INFO=1 when building a snap, it will dump the preprocessed snapcraft.yaml in snap/snapcraft.yaml. It will also create snap/manifest.yaml containing revision IDs of source control repos used in the build, and version numbers of build/stage packages.

This is currently opt-in as it potentially reveals details the snap author would prefer remain private. However it is enabled by default for builds done through Launchpad or build.snapcraft.io. This is the tech behind the security notices sent to snap authors for out of date packages: