This is actually not a bug, just a format problem. The hash that is returned in the HTTP response from snapd is actually verbatim copied from the snapstore, which returns the hash as a hex-encoded byte array (the hash of the snap is indeed just a raw byte array so it could contain 0 or NUL which is not a valid ASCII string, hence encoding is necessary). However, snap assertions don't encode hashes as hex-encoded, instead they are URL base64 encoded, so this needs to be converted first before it works.
Not sure a bash + cURL equivalent of doing this conversion, but you can do this conversation with Go using:
This is actually not a bug, just a format problem. The hash that is returned in the HTTP response from snapd is actually verbatim copied from the snapstore, which returns the hash as a hex-encoded byte array (the hash of the snap is indeed just a raw byte array so it could contain 0 or NUL which is not a valid ASCII string, hence encoding is necessary). However, snap assertions don't encode hashes as hex-encoded, instead they are URL base64 encoded, so this needs to be converted first before it works.
Not sure a bash + cURL equivalent of doing this conversion, but you can do this conversation with Go using:
b, _ := hex.DecodeStrin g(foo) RawURLEncoding. EncodeToString( b)
assertKey := base64.
And there are of course other options in other programming languages.