this post was submitted on 25 Jan 2025
143 points (97.4% liked)

Privacy

33055 readers
616 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

I just noticed today that Signal (not talking Molly) is now available on F-Droid via the "Guardian" repository.

Just wanted to give everyone a heads up.

top 38 comments
sorted by: hot top controversial new old
[–] 0x520@slrpnk.net 1 points 1 hour ago

I was gonna say, I got Molly-FOSS from F-droid, but I actually had to go back and check. It checks out though. I did also get obtainium so I can keep a better eye on updates and actually check the changes on git before updating something as important as secure, encrypted coms. Also I figured I should really start checking the signature each update from now on.

[–] beautiful_orca@discuss.tchncs.de 2 points 7 hours ago (1 children)

Molly-FOSS is awesome and it now has UnifiedPush support built-in!

Get it with Obtainium

[–] sic_semper_tyrannis@lemmy.today 1 points 7 hours ago

Woah that's awesome to hear about the FOSS variant. I'll switch over to that version now

[–] Andromxda@lemmy.dbzer0.com 5 points 12 hours ago (1 children)

Please rename the thread to "Signal in the Guardian project F-Droid repo" or something like that to avoid confusion, because as you have noticed, it's not available in the main F-Droid repo, just in the third-party repo maintained by the Guardian project

[–] 0x520@slrpnk.net 11 points 1 day ago (2 children)

Is there anything specifically wrong with molly. It seems more locked down by default and is fully open source. Seems better to me.

[–] scoobford@lemmy.zip 6 points 1 day ago* (last edited 18 hours ago) (1 children)

Iirc Molly in F-droid still using FCM and the google maps API. If you want Molly-Foss, you have to use Obtanium to pull APKs from their git releases.

Edit: I was wrong, you can get it off their F-Droid repository.

[–] LodeMike@lemmy.today 8 points 23 hours ago

No. You can use their f-droid repo to get molly-foss

No, nothing wrong with it. I use it actually. People are used to Molly being on F-Droid so I didn't want anyone to think that I was referencing that instead of actual Signal.

[–] zqwzzle@lemmy.ca 30 points 1 day ago* (last edited 1 day ago) (1 children)

It’s weird that this isn’t mentioned on the signal website or blog? They also distribute the binary with a signature you can check there if you want a non-play store source that’s actually verifiable.

[–] Andromxda@lemmy.dbzer0.com 14 points 1 day ago* (last edited 1 day ago) (2 children)

It's probably not an official thing. F-Droid can't distribute apps in the official repo via their own policy if the developer doesn't agree. Third-party repos like Guardian can.

[–] zqwzzle@lemmy.ca 9 points 1 day ago (1 children)

If it’s not official, how do you verify who is building the binary?

[–] Andromxda@lemmy.dbzer0.com 21 points 1 day ago* (last edited 1 day ago) (1 children)

I think they ship prebuilt binaries, i.e. the exact same ones you find on the Signal website

AFAIK this also applies to Tor Browser, Orbot and other third-party apps distributed by Guardian


Edit: I downloaded the files and manually verified the signatures. They are indeed the exact same files.

Because I didn't really know how to grab an APK from the Guardian F-Droid repo, I used their S3 bucket and downloaded the Signal APK. It's named Signal-Android-website-prod-universal-release-7.30.2.apk, which is the exact same file name as the one of the APK you can get from the Signal website.

I then used keytool to print the signature certificate fingerprint: (renamed the files to make it less confusing)

keytool -printcert -jarfile signal-website.apk
Signer #1:

Certificate #1:
Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Serial number: 4bfbebba
Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045
Certificate fingerprints:
	 SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
	 SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
Signature algorithm name: SHA1withRSA (weak)
Subject Public Key Algorithm: 1024-bit RSA key (weak)
Version: 3
keytool -printcert -jarfile signal-guardian.apk
Signer #1:

Certificate #1:
Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Serial number: 4bfbebba
Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045
Certificate fingerprints:
	 SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
	 SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
Signature algorithm name: SHA1withRSA (weak)
Subject Public Key Algorithm: 1024-bit RSA key (weak)
Version: 3

The fingerprints are identical.


Another edit: I just noticed that Signal even has official instructions for checking the signature on their APK download page. They use apksigner instead of keytool, but it's basically the same process.

[–] sic_semper_tyrannis@lemmy.today 5 points 1 day ago (1 children)
[–] Andromxda@lemmy.dbzer0.com 2 points 1 day ago (1 children)
[–] QuazarOmega@lemy.lol 3 points 19 hours ago

You have quite a bit of background knowledge to know how to do that though, you should give yourself more credit!

[–] lady_mongrel@lemmy.ml 3 points 1 day ago (1 children)

Can confirm, the repository was Guardian Project

[–] Andromxda@lemmy.dbzer0.com 8 points 1 day ago (1 children)

I know, it even says so in the post:

I just noticed today that Signal (not talking Molly) is now available on F-Droid via the "Guardian" repository.

[–] lady_mongrel@lemmy.ml 3 points 1 day ago

Haha it would help if I could read 🤣

[–] iii@mander.xyz 25 points 1 day ago

Perhaps a result of the proposed ban on distributing tiktok via google and apple is that some developers rethink their distribution mechanisms

[–] JubilantJaguar@lemmy.world 10 points 1 day ago* (last edited 1 day ago) (2 children)

I have a tangential question. Would it not make sense for an OS, in this case Android, to have some proper mechanism for installing apps (in this case APKs) directly from a website (as lots of people have been doing fastidiously from signal.org by necessity)?

After all, this is all about trust. With software, assuming that you trust the developer, the goal is to be sure that nobody interfered with the developer's compiled software - and who better to guarantee that than the developer themself, at their own domain? DNS resolution is already based on the "web of trust" principle, which is why you can trust your bank's website. Arguably F-Droid performs a valuable role as a curator and selector of good software, but is there any good technical need for it to actually distribute the software?

[–] said@lemmy.sdf.org 15 points 1 day ago (2 children)

Not exactly answering your question but you can use the app Obtainium to fetch the apk URL from a website/github repo and many other sources to install directly. It also supports fdroid repos and many other sources out of the box. Kinda half way what you mentioned in your first paragraph.

[–] logging_strict@lemmy.ml 2 points 22 hours ago

Thank you for posting the link

[–] JubilantJaguar@lemmy.world 4 points 1 day ago* (last edited 1 day ago) (1 children)

Yes true! Forgot about Obtainium. ~~Personally I'm not much tempted because all it does is swap out F-Droid for Github (i.e. Microsoft) as the middleman.~~ But I agree that it's definitely a win for convenience.

PS: Turns out Obtainium is source-agnostic. Good news.

[–] said@lemmy.sdf.org 5 points 1 day ago (1 children)

Of course Github is just an example but you can pretty much regex any URL and further filter out anything in order to get the apk link with it. So depending on your level of privacy requirement and trusted sources, you can skip all the centralized ones and build your own list of sources.

[–] JubilantJaguar@lemmy.world 3 points 1 day ago

So it does! OK so this is pretty close to a decent solution after all (the ideal one being IMO exactly the same thing but native to the OS). Thanks for the correction.

[–] refalo@programming.dev 5 points 1 day ago (1 children)

Not sure if this fits your definition of OS, proper, or install, but FWIW you can already download an apk directly from github using most Android browsers and it will open (or give you the option to open) it with the system's package installer.

[–] JubilantJaguar@lemmy.world 5 points 1 day ago (1 children)

Yep and that's exactly what we doing with Signal to avoid the Play Store. It's a bit of a PITA and it's the same on desktop. It's because they don't want third parties maintaining their packages.

My crazy utopian idea is for some kind of protocol (or equivalent) that would allow native package managers (mobile or desktop) to "plug in" to the website repos of authors, directly.

[–] refalo@programming.dev 3 points 1 day ago (1 children)

Isn't this basically the same thing as clicking a .apk or .exe link in a browser (which already works on mobile/desktop)?

[–] JubilantJaguar@lemmy.world 3 points 1 day ago

Other than (a) having to use a browser and (b) no update mechanism, yes.

[–] furrowsofar@beehaw.org 11 points 1 day ago

Thanks. You can get it by Obtainium too.

[–] KnightontheSun@lemmy.world 4 points 1 day ago* (last edited 1 day ago) (3 children)

Please forgive if this is a stupid question, but what is the difference between the play store version and this? Assuming it is not altered by a bad actor.

[–] Wolfie@lemm.ee 6 points 1 day ago

As i recall, ALL apps in google play store, have to have some sort of google shit embedded into it. Therefore, its better to download something outside of google if you want to remain degoogled.

[–] refalo@programming.dev 3 points 1 day ago

I would hope the difference is that the f-droid version does not contain any proprietary code.

[–] powermaker450@discuss.tchncs.de 2 points 1 day ago (1 children)

I think the main difference is that the Play Store version can use FCM (Google Play Services) for notifications, while the APK Signal distributes only receives notifications over a background WebSocket connection.

[–] KnightontheSun@lemmy.world 1 points 1 day ago (1 children)

That is interesting. Thanks to you and the others.

Does the use of the google play services allow google to sort of…listen in or be privy to your app usage in any way?

[–] powermaker450@discuss.tchncs.de 4 points 1 day ago (1 children)

Google cannot see any message content of Signal notifications through FCM. It's more like a "heads up" to the Signal app, telling it "hey, there are new messsges. wake up and check what they are.". The Signal app then checks for messages and does all the decrypting and whatnot itself.

While it's possible that the timing of FCM telling the app to check for notifications could be used to correlate activity, that's an edge case that if you are concerned about can be easily avoided by just using the background WebSocket or a fork of Signal like Molly that allows you to use a third-party UnifiedPush provider to check for messages in the background, instead of FCM.

[–] KnightontheSun@lemmy.world 2 points 1 day ago

Yes, the activity was what I thought of. Thank you for helping to educate me!