electron-builder constructs snap squashfs files that are incompatible with the snap store

I am a snap store reviewer. As was reported in https://github.com/electron-userland/electron-builder/issues/2803, at a high-level, the ‘resquash tests’ consist of unsquashing the uploaded snap, then running mksquashfs on it to generate a new snap, then checking the hash of the original and resquashed snaps. The store therefore expects that mksquashfs is invoked with expected options. Issue #2803 was addressed and fixed electron-builder for some incompatible mksquashfs options (thanks!) and we recently re-enabled our resquashfs tests but noticed that (only) electron snaps continue to fail automated review with messages like this:

$ SNAP_ENFORCE_RESQUASHFS=1 snap-review signal-desktop_1.8.0-beta.1_amd64.snap 
Errors
------
 - security-snap-v2:squashfs_repack_checksum
        checksums do not match. Please ensure the snap is created with either 'snapcraft pack <DIR>' (using snapcraft >= 2.38) or 'mksquashfs <dir> <snap> -noappend -comp xz -all-root -no-xattrs -no-fragments'. If using electron-builder, please upgrade to (at least) 20.9.2 stable.
signal-desktop_1.8.0-beta.1_amd64.snap: FAIL

The reporter used electron-builder >=20.9.2 (see the forum URL for specifics). Looking at this with DEBUG=electron-builder, the squashfs is being built in two stages (reusing appimage code). The first builds with incompatible mksquash options and the second with compatible options (that are ignored), but appending to the first stage. Due to how resquash tests work, the resulting snap can never pass snap store review because of the incompatible options and because ‘-append’ is used (the unsquash/resquash will pack them in a different order).

Output (seen with export DEBUG=electron-builder before npm run build-release -- -l):

...
  • execute command           args=[/home/ubuntu/.cache/electron-builder/appimage/appimage-9.1.0/linux-x64/mksquashfs /home/ubuntu/tmp.0mPdLJ0eNz/latest/release/__snap-x64 /home/ubuntu/tmp.0mPdLJ0eNz/latest/release/signal-desktop_1.9.0-beta.1_amd64.snap -no-progress -quiet -all-root -no-duplicates -no-recovery] path=/home/ubuntu/.cache/electron-builder/appimage/appimage-9.1.0/linux-x64/mksquashfs
  • Found a valid exportable SQUASHFS superblock on /home/ubuntu/tmp.0mPdLJ0eNz/latest/release/signal-desktop_1.9.0-beta.1_amd64.snap.
    Compression used xz
    Inodes are compressed
    Data is compressed
    Fragments are compressed
    Xattrs are compressed
    Fragments are not present in the filesystem
    Always-use-fragments option is not specified
    Duplicates are removed
    Xattrs are not stored
    Filesystem size 62373.43 Kbytes (60.91 Mbytes)
    Block size 131072
    Number of fragments 0
    Number of inodes 10032
    Number of ids 1

Scanning existing filesystem...
Read existing filesystem, 10031 inodes scanned
Appending to existing 4.0 filesystem on /home/ubuntu/tmp.0mPdLJ0eNz/latest/release/signal-desktop_1.9.0-beta.1_amd64.snap, block size 131072
All -b, -noI, -noD, -noF, -noX, no-duplicates, no-fragments, -always-use-fragments,
-exportable and -comp options ignored

If appending is not wanted, please re-run with -noappend specified!

No recovery data option specified.
Skipping saving recovery file.

There seem to be a couple of ways forward:

1. support snaps directly rather than using a 2-stage build based on the existing appimage code. This obviously requires more work up front, but you could then use ‘snapcraft pack ./dir’ which would guarantee that the squashfs is constructed with snap store-compatible options going forward
2. as an immediate, quick and dirty first step you could take the resulting snap at the end of your two stage build, unpack it then repack it. Eg:

$ unsquashfs ./path/to/snap
$ snapcraft pack ./squashfs-root

or using mksquashfs directly:
$ unsquashfs ./path/to/snap
$ mksquashfs ./squashfs-root ./path/to/new/snap -noappend -comp xz -all-root -no-xattrs -no-fragments

There are probably other options than the above. Option 2 is going to be slower to build the snap (I suspect if you built the 2 stage without compression this would speed things up).

As it stands, app snaps built with electron-builder are the only known snaps to fail the resquash test. Due to their popularity, we’ve temporarily disabled the resquash test in the store, but we need to re-enable this soon and would like electron-builder developers to continue to have a great snap store experience. 😃

In developing a fix for this, I suggest that you test the resulting snap with the review-tools snap, which is what the store uses. Eg, on any OS that supports snaps:

$ sudo snap install review-tools --beta
$ SNAP_ENFORCE_RESQUASHFS=1 snap-review /path/to/snap
...