Snapcraft builds are always auto rejected

[RobbieTheWagner]

I opened an issue here electron/forge#1678 but perhaps this repo is the more appropriate place for it. When I build snapcraft builds and upload them to the Snap Store, I always get auto rejected with the following error:

checksums do not match. Please ensure the snap is created with either 'snapcraft pack <DIR>' (using snapcraft >= 2.38) or 'mksquashfs <dir> <snap> -noappend -comp xz -all-root -no-xattrs -no-fragments'. 
If using electron-builder, please upgrade to latest stable (>= 20.14.7). See https://forum.snapcraft.io/t/automated-reviews-and-snapcraft-2-38/4982/17 for details. 
security-snap-v2_squashfs_repack_checksum What does this mean?
found errors in file output: unusual mode 'rwsr-xr-x' for entry './swach/chrome-sandbox' security-snap-v2_squashfs_files
human review required due to 'deny-connection' constraint (interface attributes). If using a chromium webview, you can disable the internal sandbox (eg, use --no-sandbox) and remove the 'allow-sandbox' attribute instead. 
For QtWebEngine webviews, export QTWEBENGINE_DISABLE_SANDBOX=1 to disable its internal sandbox. 
declaration-snap-v2_plugs_connection (browser-sandbox, browser-support)

I see browserSandbox is turned on by default when on Electron >= 5.0.0, but this error message sounds like we should be disabling the sandbox and instead using confinement. I have tried adding --no-sandbox to my electron app's args and setting browserSandbox: false but the error still persists.

Any tips on fixing this problem or is there no possible way to build an Electron app for Snap that does not need manual review?

[welcome]

👋 Thanks for opening your first issue here! If you have a question about using electron-installer-snap, read the support docs. If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. Development and issue triage is community-driven, so please be patient and we will get back to you as soon as we can.

To help make it easier for us to investigate your issue, please follow the contributing guidelines.

[RobbieTheWagner]

Looking into the code here further, it seems there is no way to disable the transform which adds browser-sandbox.

electron-installer-snap/src/yaml.js

Line 170 in 2f76307

'allow-sandbox': true,

How are we supposed to be able to do allow-sandbox: false?

[RobbieTheWagner]

@malept I tried to get a manual review and they gave me this response:

Use of the 'allow-sandbox' attribute of the browser-support interface is reserved for vetted publishers. 
Typically this access is not required (see https://forum.snapcraft.io/t/supported-interfaces/7744 for details). 

So it sounds like we need to be able to disable this. Does Electron require the sandbox to run on Linux?

[RobbieTheWagner]

@malept I have been discussing this issue here https://forum.snapcraft.io/t/cannot-publish-an-electron-app/17493/25?u=rwwagner90 and debugging for many days. I still have yet to figure out a solution, but it seems if we made our build more like the one for electron-builder, it should work.

[mahnunchik]

@malept any chance to have PR merged? #75

[davidwinter]

@mahnunchik might want to give @davidwinter/electron-forge-maker-snap a try in the meantime. @rwwagner90 and I have tested it with both of our apps, and it seems to be working well with the sandbox disabled.

[RobbieTheWagner]

I can confirm that @davidwinter's project works great!

[VerteDinde]

Initial issue resolved in #141 - this should keep snaps from being auto-rejected by the snap store on the basis of browser-sandbox. Doing a little digging to make sure there isn't other issues that would result in an auto-reject, and then we can close this specific issue.