On 26/07/16 22:47, Ralf Mardorf wrote: > On Tue, 26 Jul 2016 19:43:10 +0200, Oliver Grawert wrote: >> Am Dienstag, 26. Juli 2016 19:35:01 CEST schrieb Peng Liu: >>> Is there any tool we can use to sign a snap package? >> i think we call that tool the store ;) > Assumed upstream builds snaps, providing them as downloads by an > upstream website, for Linux users of all distros, does it mean, that it > is required to provide a snap package, a SHA256SUMS and SHA256SUMS.gpg > or to use the Ubuntu store?
Yes, both work. If you are publishing snaps on your website then it would be recommended to provide a GPG-signed list of digests as you suggest. Simplistically: * on an https web page * have directory listing your snaps and a sha256sums.txt * which is a list of the snaps, digests, and is gpg clear-text signed If you push your snap to the Ubuntu store, then the store will publish signatures which snapd will use to validate the snap on install and on refresh. In future, you'll be able to GPG sign the snap before you push it to the store, so snapd actually checks that YOU built it, not just that the store claims you uploaded it. Different store implementations (the snap format is independent of the store) will take different approaches, I've just outlined how we're doing it in Ubuntu with snapd, and how you can publish raw signed snaps on your site. Hope that helps! Mark -- Snapcraft mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
