Skip to content

upki(snap): initial snapcraft.yaml for client #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jnsgruk wants to merge 4 commits into from
Closed

upki(snap): initial snapcraft.yaml for client #51

jnsgruk wants to merge 4 commits into from

Conversation

@jnsgruk
Copy link

@jnsgruk jnsgruk commented Jan 23, 2026

This commit adds an initial snapcraft.yaml for
the UPKI client binary.

The snap is strictly confined, with access to
$HOME and the network.

It also has a 'personal-files' plug which
must be manually connected for now, but which we
can have auto-connected once the snap is published
in the store.

For now, you can test as such:

# Build the snap
cd upki
snapcraft pack

# Install and connect interfaces
sudo snap install --dangerous ./upki_0.1.0_amd64.snap
sudo snap connect upki:dot-cache-upki

# Fetch filters and do a check
upki fetch
curl -w '%{certs}' https://google.com/ | upki revocation-check high

@jnsgruk
upki(snap): initial snapcraft.yaml
6a950ff 
This commit adds an initial snapcraft.yaml for
the UPKI client binary.

The snap is strictly confined, with access to
$HOME and the network.

It also has a 'personal-files' plug which
must be manually connected for now, but which we
can have auto-connected once the snap is published
in the store.

For now, you can test as such:

    # Build the snap
    cd upki
    snapcraft pack

    # Install and connect interfaces
    sudo snap install --dangerous ./upki_0.1.0_amd64.snap
    sudo snap connect upki:dot-cache-upki

    # Fetch filters and do a check
    upki fetch
    curl -w '%{certs}' https://google.com | upki revocation-check high
@jnsgruk
chore: add *.snap to gitignore
f7546c2
@jnsgruk
Copy link
Author

jnsgruk commented Jan 23, 2026
edited
Loading

@julian-klode FYI

@djc
Copy link
Member

djc commented Jan 23, 2026

Is it conventional for these to live upstream?

@jnsgruk
Copy link
Author

jnsgruk commented Jan 23, 2026

It's mixed - many upstream projects do have the snapcraft in the upstream repo (they're pretty lightweight), but I don't have a strong opinion if you'd prefer the packaging concerns were kept separately.. I could always move the snap to a dedicated repo under Canonical

@djc
Copy link
Member

djc commented Jan 23, 2026

It looks like this is focusing on the user-specific config/cache. Do you also have a plan for having a OS-global cache with a systemd unit to run regular updates?

@jnsgruk
Copy link
Author

jnsgruk commented Jan 23, 2026

I could certainly add a plug for /var/cache/upki and /etc/upki, which seem like the appropriate locations?

@djc
Copy link
Member

djc commented Jan 23, 2026

I could certainly add a plug for /var/cache/upki and /etc/upki, which seem like the appropriate locations?

The docs that @ctz wrote up seem to indicate the current path is supposed to be something like /etc/xdg/upki/config.toml though honestly it might be nice to get rid of the xdg segment from that.

@jnsgruk jnsgruk marked this pull request as draft January 23, 2026 12:27
@jnsgruk
Copy link
Author

jnsgruk commented Jan 23, 2026

My plan is to add a timer service to the snap, per: https://snapcraft.io/docs/services-and-daemons

@jnsgruk
upki-mirror(snap): basic snapcraft.yaml
9997f1d 
This commit adds a snapcraft.yaml for upki-mirror.

The snap is set up such that a user could
manually invoke the binary, or write their own
service/timer should they wish, but the snap
also includes a service which runs each day at
03:00.

That service will fetch the upstream CRLite
filters into /var/snap/upki-mirror/common/data.
By using the $SNAP_COMMON directory, the data
persists across snap revisions and is snapshotted.

By default, all users can read the data in this
directory, which should make it easy to setup
a web server to serve the contents.
@jnsgruk
Copy link
Author

jnsgruk commented Jan 23, 2026

Hmm, after a bit more playing, there is a limitation on the system-files interface that makes this quite impractical. Will discuss with Julian about creating some debs for this instead as a starting point.

@jnsgruk jnsgruk closed this Jan 23, 2026
@ctz
Copy link
Member

ctz commented Jan 23, 2026

something like /etc/xdg/upki/config.toml though honestly it might be nice to get rid of the xdg segment from that.

See https://specifications.freedesktop.org/basedir/latest/ -- it's a pretty established standard. If we deviate from that, we need a very very good reason.

@djc
Copy link
Member

djc commented Jan 23, 2026

See https://specifications.freedesktop.org/basedir/latest/ -- it's a pretty established standard. If we deviate from that, we need a very very good reason.

It's also kind of explicitly for desktops, right? I've used Linux servers for 20+ years and have never encountered /etc/xdg before. All the services I've administered have used /etc/service.conf or /etc/service/stuff.conf-style things.

Anyway, I feel like @jnsgruk and @julian-klode as distro folks probably have more expertise on this than we have...

@jnsgruk
Copy link
Author

jnsgruk commented Jan 24, 2026
edited
Loading

Yeh, I think /etc/xdg is a bit odd for server-ish daemons, personally.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jnsgruk @djc @ctz