Privacy

33146 readers

686 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

[email protected]

158

Signal on F-droid Guardian Repo (lemmy.today)

submitted 5 days ago* (last edited 3 days ago) by [email protected] to c/[email protected]

46 comments fedilink hide all child comments

I just noticed today that Signal (not talking Molly) is now available on F-Droid via the "Guardian" repository.

Just wanted to give everyone a heads up.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 14 points 5 days ago* (last edited 4 days ago) (2 children)

It's probably not an official thing. F-Droid can't distribute apps in the official repo via their own policy if the developer doesn't agree. Third-party repos like Guardian can.

[–] [email protected] 9 points 5 days ago (1 children)

If it’s not official, how do you verify who is building the binary?

[–] [email protected] 22 points 5 days ago* (last edited 4 days ago) (1 children)

I think they ship prebuilt binaries, i.e. the exact same ones you find on the Signal website

AFAIK this also applies to Tor Browser, Orbot and other third-party apps distributed by Guardian

Edit: I downloaded the files and manually verified the signatures. They are indeed the exact same files.

Because I didn't really know how to grab an APK from the Guardian F-Droid repo, I used their S3 bucket and downloaded the Signal APK. It's named Signal-Android-website-prod-universal-release-7.30.2.apk, which is the exact same file name as the one of the APK you can get from the Signal website.

I then used keytool to print the signature certificate fingerprint: (renamed the files to make it less confusing)

keytool -printcert -jarfile signal-website.apk

Signer #1:

Certificate #1:
Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Serial number: 4bfbebba
Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045
Certificate fingerprints:
	 SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
	 SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
Signature algorithm name: SHA1withRSA (weak)
Subject Public Key Algorithm: 1024-bit RSA key (weak)
Version: 3

keytool -printcert -jarfile signal-guardian.apk

Signer #1:

Certificate #1:
Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Serial number: 4bfbebba
Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045
Certificate fingerprints:
	 SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
	 SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
Signature algorithm name: SHA1withRSA (weak)
Subject Public Key Algorithm: 1024-bit RSA key (weak)
Version: 3

The fingerprints are identical.

[–] [email protected] 5 points 4 days ago (1 children)

Thanks for doing this!

[–] [email protected] 2 points 4 days ago (1 children)

Takes like 2 minutes 😅

[–] [email protected] 3 points 4 days ago (1 children)

You have quite a bit of background knowledge to know how to do that though, you should give yourself more credit!

[–] [email protected] 2 points 3 days ago* (last edited 3 days ago)

Thanks, I mean I used to work as a Java developer before, and I'm quite interested in the Android platform, so I'm familiar with the SDK and build tools, and know how app signatures work

But it's really not that hard to figure out. There are countless guides on the internet, and as I said, Signal even has a quick guide for how to verify the APK signature on the download page

[–] [email protected] 3 points 4 days ago (1 children)

Can confirm, the repository was Guardian Project

[–] [email protected] 8 points 4 days ago (1 children)

I know, it even says so in the post:

I just noticed today that Signal (not talking Molly) is now available on F-Droid via the "Guardian" repository.

[–] [email protected] 3 points 4 days ago

Haha it would help if I could read 🤣