// FetchAndCheckSnapAssertions fetches and cross checks the snap assertions matching the given snap file using the provided asserts.Fetcher and assertion database.
func FetchAndCheckSnapAssertions(snapPath string, info *snap.Info, f asserts.Fetcher, db asserts.RODatabase) error {
sha3_384, size, err := asserts.SnapFileSHA3_384(snapPath)
if err != nil {
return err
}
if err := snapasserts.FetchSnapAssertions(f, sha3_384); err != nil {
return fmt.Errorf("cannot fetch snap signatures/assertions: %v", err)
}
// cross checks
return snapasserts.CrossCheck(info.Name(), sha3_384, size, &info.SideInfo, db)
}
// doValidateSnap fetches the relevant assertions for the snap being installed and cross checks them with the snap.
func doValidateSnap(t *state.Task, _ *tomb.Tomb) error {
t.State().Lock()
defer t.State().Unlock()
ss, err := snapstate.TaskSnapSetup(t)
if err != nil {
return nil
}
sha3_384, snapSize, err := asserts.SnapFileSHA3_384(ss.SnapPath)
if err != nil {
return err
}
err = doFetch(t.State(), ss.UserID, func(f asserts.Fetcher) error {
return snapasserts.FetchSnapAssertions(f, sha3_384)
})
if notFound, ok := err.(*store.AssertionNotFoundError); ok {
if notFound.Ref.Type == asserts.SnapRevisionType {
return fmt.Errorf("cannot verify snap %q, no matching signatures found", ss.Name())
} else {
return fmt.Errorf("cannot find supported signatures to verify snap %q and its hash (%v)", ss.Name(), notFound)
}
}
if err != nil {
return err
}
db := DB(t.State())
err = snapasserts.CrossCheck(ss.Name(), sha3_384, snapSize, ss.SideInfo, db)
if err != nil {
// TODO: trigger a global sanity check
// that will generate the changes to deal with this
// for things like snap-decl revocation and renames?
return err
}
// TODO: set DeveloperID from assertions
return nil
}
func copySnapAsserts(info *info, f asserts.Fetcher) error {
return snapasserts.FetchSnapAssertions(f, info.digest)
}