Signal on F-droid Guardian Repo

zqwzzle@lemmy.ca

It’s weird that this isn’t mentioned on the signal website or blog? They also distribute the binary with a signature you can check there if you want a non-play store source that’s actually verifiable.

andromxda@lemmy.dbzer0.com

It's probably not an official thing. F-Droid can't distribute apps in the official repo via their own policy if the developer doesn't agree. Third-party repos like Guardian can.

zqwzzle@lemmy.ca

If it’s not official, how do you verify who is building the binary?

knightonthesun@lemmy.world

Please forgive if this is a stupid question, but what is the difference between the play store version and this? Assuming it is not altered by a bad actor.

andromxda@lemmy.dbzer0.com

I think they ship prebuilt binaries, i.e. the exact same ones you find on the Signal website

AFAIK this also applies to Tor Browser, Orbot and other third-party apps distributed by Guardian

---

Edit: I downloaded the files and manually verified the signatures. They are indeed the exact same files.

Because I didn't really know how to grab an APK from the Guardian F-Droid repo, I used their S3 bucket and downloaded the Signal APK. It's named Signal-Android-website-prod-universal-release-7.30.2.apk, which is the exact same file name as the one of the APK you can get from the Signal website.

I then used keytool to print the signature certificate fingerprint: (renamed the files to make it less confusing)

keytool -printcert -jarfile signal-website.apk

Signer #1:

Certificate #1:
Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Serial number: 4bfbebba
Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045
Certificate fingerprints:
	 SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
	 SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
Signature algorithm name: SHA1withRSA (weak)
Subject Public Key Algorithm: 1024-bit RSA key (weak)
Version: 3

keytool -printcert -jarfile signal-guardian.apk

Signer #1:

Certificate #1:
Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Serial number: 4bfbebba
Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045
Certificate fingerprints:
	 SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
	 SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
Signature algorithm name: SHA1withRSA (weak)
Subject Public Key Algorithm: 1024-bit RSA key (weak)
Version: 3

The fingerprints are identical.

---

Another edit: I just noticed that Signal even has official instructions for checking the signature on their APK download page. They use apksigner instead of keytool, but it's basically the same process.

refalo@programming.dev

I would hope the difference is that the f-droid version does not contain any proprietary code.

sic_semper_tyrannis@lemmy.today

Thanks for doing this!

andromxda@lemmy.dbzer0.com

Takes like 2 minutes

0x520@slrpnk.net

Is there anything specifically wrong with molly. It seems more locked down by default and is fully open source. Seems better to me.

scoobford@lemmy.zip

Iirc Molly in F-droid still using FCM and the google maps API. If you want Molly-Foss, you have to use Obtanium to pull APKs from their git releases.

Edit: I was wrong, you can get it off their F-Droid repository.

quazaromega@lemy.lol

You have quite a bit of background knowledge to know how to do that though, you should give yourself more credit!

beautiful_orca@discuss.tchncs.de

Molly-FOSS is awesome and it now has UnifiedPush support built-in!

Get it with Obtainium

sic_semper_tyrannis@lemmy.today

Woah that's awesome to hear about the FOSS variant. I'll switch over to that version now

transitinoir@slrpnk.net

They do not ship updates as fast as official Signal client does. Do not use it unless you specifically need one of its security features

andromxda@lemmy.dbzer0.com

Thanks, I mean I used to work as a Java developer before, and I'm quite interested in the Android platform, so I'm familiar with the SDK and build tools, and know how app signatures work

andromxda@lemmy.dbzer0.com

Or via Accrescent

andromxda@lemmy.dbzer0.com

Just make sure to set up UnifiedPush if you want to receive notifications while your Molly database is locked. I recommend the new Sunup UP distributor. I wanted to make a post about it in [email protected], but never got around to do it.

For Mollysocket, there are a few public instances. molly.adminforge.de is one of them. You can also set up your own on Fly.io, check out this repo: https://github.com/pcrockett/mollysocket-fly
Or you can obviously self-host it on any VPS or hardware that you own

andromxda@lemmy.dbzer0.com

You can also get it from Accrescent

andromxda@lemmy.dbzer0.com

No, it's not a special "FOSS" version, it's just the official binary distributed through the Guardian Project repo (as I have proven: https://lemmy.dbzer0.com/comment/16230276). If you want a FOSS variant, check out Signal-FOSS or Molly, they also offer a FOSS variant. You can either download it from their custom F-Droid repo, pull the APK from GitHub using Obtainium or get it from Accrescent.

refalo@programming.dev

Yikes. Thanks for the info.