Snapcraft

No support for unsigned package-repositories

Bug #1918969 reported by Robie Basak on 2021-03-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Snapcraft	Triaged	Wishlist	Chris Patterson

Bug Description

My use case is the same as in bug 1918968. I have a local apt repository (file:/// URL) that I'd like to make available via package-repositories. snapcraft currently demands a key-id and a corresponding key (whether available locally in snap/keys/ or from a keyserver). So to use package-repositories in "local mode", I am forced to sign it with a temporary key and provide that to snapcraft.

This seems unnecessary because apt supports a [trusted=yes] option in the sources.list entry.

Expected: snapcraft exposes an option to set [trusted=yes] to pass through to apt.

In the back of my mind I think [trusted=yes] might have recently become the default for file:/// anyway, so it might be sufficient to just stop assuming that a public key always has to be provided. I'm not sure though; if this isn't the case, then I'd like a "trusted: yes" type option under the package-repositories key please.

Sergio Schvezov (sergiusens) on 2021-03-18

Changed in snapcraft:
status:	New → Confirmed

Revision history for this message

Chris Patterson (cjp256) wrote on 2021-03-23:

I talked with Gustavo and we agreed that support for this can be added by introducing a new property `insecure: true` that would be required when key-id is not present. Initial support would be limited to file:/// repos.

Sergio Schvezov (sergiusens) on 2021-03-25

Changed in snapcraft:
status:	Confirmed → Triaged
importance:	Undecided → Wishlist
assignee:	nobody → Chris Patterson (cjp256)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.