Cryptographic technology in Snapcraft¶
Snapcraft uses cryptographic technologies to fetch arbitrary files over the internet, communicate with local processes, and store credentials. It does not directly implement its own cryptography, but it does depend on external libraries to do so.
When building snaps, Snapcraft uses different codebases and libraries depending on the base snap. This means that the cryptographic technology used also depends on the base snap.
core24 and newer¶
Snapcraft is built upon Craft Application and derives much of its functionality from it. In particular, snaps using core24 or newer as their base use Craft Application to build, so much of Snapcraft’s cryptographic functionality is described in the Craft Application cryptography documentation.
Downloading build dependencies¶
Plugins use build tools to download and verify build dependencies. Some plugins can provision their own build tools, while others require the build tools to be available on the system.
For more information on the use of cryptography for plugins provided by Craft Parts, see the Craft Parts cryptography documentation.
For plugins provided by Snapcraft, the following table summarizes how they provision build tools, and which build tools they use to download and verify dependencies.
Plugin |
Build tools used |
Method of provisioning the build tools |
|---|---|---|
|
Not provisioned |
|
Conda |
|
Requests library and curl |
Flutter |
|
Git |
|
Git |
core22¶
Snaps using core22 as their base snap depend on various external libraries to build.
Public key signing¶
Snapcraft supports the adding and verification of arbitrary package repositories. For more information, see the Craft Archives cryptography documentation.
The parts system¶
Snapcraft makes use of parts in project files for declarative builds. Parts specified by the user may download arbitrary files, install packages, and modify files in the build environment. For more information, see the Craft Parts cryptography documentation.
Creating virtual build environments¶
Snapcraft instantiates and executes builds on self-allocated virtual instances. For more information, see the Craft Providers cryptography documentation.
Downloading build dependencies¶
Snaps using core22 have the same plugin support as core24. See the core24 section for more information on how Snapcraft downloads and verifies build dependencies.
core20¶
Snaps using core20 as their base snap depend on various external libraries to build.
Creating virtual build environments¶
Snapcraft instantiates and builds snaps on self-allocated virtual instances. It uses the Requests library to install Multipass on Windows. Build environments for other operating systems are handled by the local snap daemon (snapd).
Communication with snapd¶
Snapcraft uses the Requests library to communicate over Unix sockets with snapd. These requests fetch information about required software. If the software is missing, Snapcraft will install it through snapd. This is done by querying the snapd API with URLs built dynamically and sanitized by urllib.
Sources¶
Downloading repositories¶
When a part sources a remote repository, Snapcraft clones the repository with the
appropriate version control tool. The protocol used, such as SSH or HTTPS,
depends on the source URL and support from the version control tool.
Version control system |
Tool used |
|---|---|
|
|
|
|
|
|
|
Downloading source files¶
When a part sources a .deb, .rpm, .snap, .tar, .zip, .7z, or an
executable file, Snapcraft calls the Requests library to download it.
If the part has the source-checksum key, then the integrity of the source file will be verified. The checksum is verified using hashlib, so all algorithms available to the hashlib library can be used.
Dependencies¶
Downloading system packages¶
System dependencies are downloaded and verified using snapd and APT.
Downloading build dependencies¶
Plugins use build tools to download and verify build dependencies. Some plugins can provision their own build tools, while others require the build tools to be available on the system. The following table summarizes how plugins provision build tools and which build tools are used to download and verify dependencies.
Plugin |
Build tools used |
Method of provisioning the build tools |
|---|---|---|
Catkin |
|
Not provisioned |
|
Not provisioned |
|
Conda |
|
Requests library and curl |
Crystal |
|
|
Not provisioned |
||
Not provisioned |
||
Requests library and curl |
||
Not provisioned |
Public key signing¶
Snapcraft uses cryptographic processes to parse public keys and optionally retrieve them from remote servers. It does not directly implement its own cryptography, but depends on GNU Privacy Guard (GPG) to do so.
A declaration of a package repository includes a mandatory key-id field that
specifies the fingerprint of the repository’s public key. This public key can either be
stored locally or automatically fetched by Snapcraft.
If the key file is located as part of the project’s assets, Snapcraft uses GPG as
provided by the official Ubuntu archives to ensure that the file matches the declared
fingerprint. If the key file is not present locally, Snapcraft uses GPG in conjunction
with dirmngr (also from the Ubuntu archives) to fetch the key from the OpenPGP
keyserver at keyserver.ubuntu.com.
In either scenario, Snapcraft then creates an APT data source for the package repository referencing the identified key. It does not validate that the remote repository is signed with the key, as APT itself does this as part of its normal operation.
Remote building¶
Remote snap builds use Craft Application. The cryptographic functionality used for remote builds is described in the Craft Application cryptography documentation.
Snapcraft’s legacy remote builder uses launchpadlib to interact with the Launchpad API and trigger remote builds. Login credentials for Launchpad are stored in a plain text file in the XDG data directory.
Interaction with storefronts¶
Snapcraft interfaces with the Snap Store and private stores over the internet. Some store interactions are driven through Craft Store, such as authentication and listing releases. For more information, see the Craft Store cryptography documentation.
For interactions that don’t use Craft Store, Snapcraft uses cryptographic processes to send files between devices and endpoints through the internet. It does not directly implement its own cryptography, but it does depend on external libraries to do so.
Authentication¶
Snapcraft uses macaroons, as an authentication mechanism, which are processed by the macaroonbakery library. This library validates and manages macaroons as returned by stores and simplifies the inclusion of macaroons in further requests to stores.
Credentials may additionally be stored on-disk using the keyring library, which
will use the keyring service provided by the host operating system. If the host does
not have a keyring service, they will instead be stored in a plain text file called
credentials.json under the application’s data storage directory. A warning is
issued to the terminal when this behavior is triggered. This behavior is available to
ease the usage of Snapcraft inside virtual machines and containers, but is generally
discouraged.
Network connectivity¶
Snapcraft uses urllib to simplify and harden the parsing of URLs.
Connections over the internet are mediated by the Requests or httpx libraries. libraries. These libraries handle cryptographic operations, such as the TLS handshake, that are standard requirements for modern internet connections. They are configured to always attempt HTTPS connections first, but have the ability to communicate over HTTP as a fallback. The Snap Store does not support HTTP, but this capability is retained to aid with local testing. Between these two libraries, Snapcraft will use whichever of the two is invoked by the consuming application.