Signal on F-droid Guardian Repo
-
zqwzzle@lemmy.careplied to Guest on 25 Jan 2025, 17:10 last edited by
If it’s not official, how do you verify who is building the binary?
-
knightonthesun@lemmy.worldreplied to Guest on 25 Jan 2025, 18:03 last edited by
Please forgive if this is a stupid question, but what is the difference between the play store version and this? Assuming it is not altered by a bad actor.
-
andromxda@lemmy.dbzer0.comreplied to Guest on 25 Jan 2025, 18:25 last edited by
I think they ship prebuilt binaries, i.e. the exact same ones you find on the Signal website
AFAIK this also applies to Tor Browser, Orbot and other third-party apps distributed by Guardian
Edit: I downloaded the files and manually verified the signatures. They are indeed the exact same files.
Because I didn't really know how to grab an APK from the Guardian F-Droid repo, I used their S3 bucket and downloaded the Signal APK. It's named
Signal-Android-website-prod-universal-release-7.30.2.apk
, which is the exact same file name as the one of the APK you can get from the Signal website.I then used
keytool
to print the signature certificate fingerprint: (renamed the files to make it less confusing)keytool -printcert -jarfile signal-website.apk
Signer #1: Certificate #1: Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US Serial number: 4bfbebba Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045 Certificate fingerprints: SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74 SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26 Signature algorithm name: SHA1withRSA (weak) Subject Public Key Algorithm: 1024-bit RSA key (weak) Version: 3
keytool -printcert -jarfile signal-guardian.apk
Signer #1: Certificate #1: Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US Serial number: 4bfbebba Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045 Certificate fingerprints: SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74 SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26 Signature algorithm name: SHA1withRSA (weak) Subject Public Key Algorithm: 1024-bit RSA key (weak) Version: 3
The fingerprints are identical.
Another edit: I just noticed that Signal even has official instructions for checking the signature on their APK download page. They use
apksigner
instead ofkeytool
, but it's basically the same process. -
refalo@programming.devreplied to Guest on 25 Jan 2025, 20:23 last edited by
I would hope the difference is that the f-droid version does not contain any proprietary code.
-
sic_semper_tyrannis@lemmy.todayreplied to Guest on 25 Jan 2025, 20:53 last edited by
Thanks for doing this!
-
andromxda@lemmy.dbzer0.comreplied to Guest on 26 Jan 2025, 00:27 last edited by
Takes like 2 minutes
-
0x520@slrpnk.netreplied to Guest on 26 Jan 2025, 02:52 last edited by
Is there anything specifically wrong with molly. It seems more locked down by default and is fully open source. Seems better to me.
-
scoobford@lemmy.zipreplied to Guest on 26 Jan 2025, 04:01 last edited by
Iirc Molly in F-droid still using FCM and the google maps API. If you want Molly-Foss, you have to use Obtanium to pull APKs from their git releases.
Edit: I was wrong, you can get it off their F-Droid repository.
-
quazaromega@lemy.lolreplied to Guest on 26 Jan 2025, 08:29 last edited by
You have quite a bit of background knowledge to know how to do that though, you should give yourself more credit!
-
beautiful_orca@discuss.tchncs.dereplied to Guest 30 days ago last edited by
Molly-FOSS is awesome and it now has UnifiedPush support built-in!
Get it with Obtainium
-
sic_semper_tyrannis@lemmy.todayreplied to Guest 30 days ago last edited by
Woah that's awesome to hear about the FOSS variant. I'll switch over to that version now
-
transitinoir@slrpnk.netreplied to Guest 29 days ago last edited by
They do not ship updates as fast as official Signal client does. Do not use it unless you specifically need one of its security features
-
-
andromxda@lemmy.dbzer0.comreplied to Guest 29 days ago last edited by
Thanks, I mean I used to work as a Java developer before, and I'm quite interested in the Android platform, so I'm familiar with the SDK and build tools, and know how app signatures work
-
andromxda@lemmy.dbzer0.comreplied to Guest 29 days ago last edited by
Or via Accrescent
-
andromxda@lemmy.dbzer0.comreplied to Guest 29 days ago last edited by
Just make sure to set up UnifiedPush if you want to receive notifications while your Molly database is locked. I recommend the new Sunup UP distributor. I wanted to make a post about it in !unifiedpush@lemmy.dbzer0.com, but never got around to do it.
For Mollysocket, there are a few public instances. molly.adminforge.de is one of them. You can also set up your own on Fly.io, check out this repo: https://github.com/pcrockett/mollysocket-fly
Or you can obviously self-host it on any VPS or hardware that you own -
andromxda@lemmy.dbzer0.comreplied to Guest 29 days ago last edited by
You can also get it from Accrescent
-
andromxda@lemmy.dbzer0.comreplied to Guest 29 days ago last edited by
No, it's not a special "FOSS" version, it's just the official binary distributed through the Guardian Project repo (as I have proven: https://lemmy.dbzer0.com/comment/16230276). If you want a FOSS variant, check out Signal-FOSS or Molly, they also offer a FOSS variant. You can either download it from their custom F-Droid repo, pull the APK from GitHub using Obtainium or get it from Accrescent.
-
refalo@programming.devreplied to Guest 29 days ago last edited by
Yikes. Thanks for the info.
-
fmstrat@lemmy.nowsci.comreplied to Guest 26 days ago last edited by
You can also install directly from Signal via Obtainium. https://apps.obtainium.imranr.dev/
{"id":"org.thoughtcrime.securesms","url":"https://updates.signal.org/android/latest.json","author":"Signal","name":"Signal","preferredApkIndex":0,"additionalSettings":"{\"intermediateLink\":[],\"customLinkFilterRegex\":\"\",\"filterByLinkText\":false,\"skipSort\":false,\"reverseSort\":false,\"sortByLastLinkSegment\":false,\"versionExtractWholePage\":false,\"requestHeader\":[{\"requestHeader\":\"User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Mobile Safari/537.36\"}],\"defaultPseudoVersioningMethod\":\"partialAPKHash\",\"trackOnly\":false,\"versionExtractionRegEx\":\"\\\\d+.\\\\d+.\\\\d+\",\"matchGroupToUse\":\"\",\"versionDetection\":true,\"useVersionCodeAsOSVersion\":false,\"apkFilterRegEx\":\"\",\"invertAPKFilter\":false,\"autoApkFilterByArch\":true,\"appName\":\"\",\"shizukuPretendToBeGooglePlay\":false,\"allowInsecure\":false,\"exemptFromBackgroundUpdates\":false,\"skipUpdateNotifications\":false,\"about\":\"Signal is an open-source end to end encrypted messaging app.\"}","overrideSource":null}
-
beautiful_orca@discuss.tchncs.dereplied to Guest 25 days ago last edited by
I have my own mollysocket and ntfy, both on tailscale domains with funnel. You can restrict your mollysocket to only your ID.
13/24