I just noticed today that Signal (not talking Molly) is now available on F-Droid via the “Guardian” repository.

Just wanted to give everyone a heads up.

  • Andromxda 🇺🇦🇵🇸🇹🇼English
    144 days ago

    It’s probably not an official thing. F-Droid can’t distribute apps in the official repo via their own policy if the developer doesn’t agree. Third-party repos like Guardian can.

      • Andromxda 🇺🇦🇵🇸🇹🇼English
        215 days ago

        I think they ship prebuilt binaries, i.e. the exact same ones you find on the Signal website

        AFAIK this also applies to Tor Browser, Orbot and other third-party apps distributed by Guardian

        Edit: I downloaded the files and manually verified the signatures. They are indeed the exact same files.

        Because I didn’t really know how to grab an APK from the Guardian F-Droid repo, I used their S3 bucket and downloaded the Signal APK. It’s named Signal-Android-website-prod-universal-release-7.30.2.apk, which is the exact same file name as the one of the APK you can get from the Signal website.

        I then used keytool to print the signature certificate fingerprint: (renamed the files to make it less confusing)

        keytool -printcert -jarfile signal-website.apk

        Signer #1:

Certificate #1:
Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Serial number: 4bfbebba
Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045
Certificate fingerprints:
	 SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
	 SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
Signature algorithm name: SHA1withRSA (weak)
Subject Public Key Algorithm: 1024-bit RSA key (weak)
Version: 3

        keytool -printcert -jarfile signal-guardian.apk

        Signer #1:

Certificate #1:
Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Serial number: 4bfbebba
Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045
Certificate fingerprints:
	 SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
	 SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
Signature algorithm name: SHA1withRSA (weak)
Subject Public Key Algorithm: 1024-bit RSA key (weak)
Version: 3

        The fingerprints are identical.

        Another edit: I just noticed that Signal even has official instructions for checking the signature on their APK download page. They use apksigner instead of keytool, but it’s basically the same process.

            • @[email protected]
              24 days ago

              You have quite a bit of background knowledge to know how to do that though, you should give yourself more credit!

              • Andromxda 🇺🇦🇵🇸🇹🇼English
                23 days ago

                Thanks, I mean I used to work as a Java developer before, and I’m quite interested in the Android platform, so I’m familiar with the SDK and build tools, and know how app signatures work

                But it’s really not that hard to figure out. There are countless guides on the internet, and as I said, Signal even has a quick guide for how to verify the APK signature on the download page