Signal on F-droid Guardian Repo
I just noticed today that Signal (not talking Molly) is now available on F-Droid via the "Guardian" repository.
Just wanted to give everyone a heads up.
Questa voce è stata modificata (7 mesi fa)
like this
⇧
iii
in reply to sic_semper_tyrannis • • •like this
yosl likes this.
flatbield
in reply to sic_semper_tyrannis • • •zqwzzle
in reply to sic_semper_tyrannis • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to zqwzzle • • •zqwzzle
in reply to Andromxda 🇺🇦🇵🇸🇹🇼 • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to zqwzzle • • •I think they ship prebuilt binaries, i.e. the exact same ones you find on the Signal website
AFAIK this also applies to Tor Browser, Orbot and other third-party apps distributed by Guardian
Edit: I downloaded the files and manually verified the signatures. They are indeed the exact same files.
Because I didn't really know how to grab an APK from the Guardian F-Droid repo, I used their S3 bucket and downloaded the Signal APK. It's named
Signal-Android-website-prod-universal-release-7.30.2.apk, which is the exact same file name as the one of the APK you can get from the Signal website.I then used
keytoolto print the signature certificate fingerprint: (renamed the files to make it less confusing)The fingerprints are identical.
Another edit: I just noticed that Signal even has official instructions for checking the signature on their APK download page. They use
apksignerinstead ofkeytool, but it's basically the same process.Signal Android APK
Signal Messengersic_semper_tyrannis
in reply to Andromxda 🇺🇦🇵🇸🇹🇼 • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to sic_semper_tyrannis • • •QuazarOmega
in reply to Andromxda 🇺🇦🇵🇸🇹🇼 • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to QuazarOmega • • •Thanks, I mean I used to work as a Java developer before, and I'm quite interested in the Android platform, so I'm familiar with the SDK and build tools, and know how app signatures work
But it's really not that hard to figure out. There are countless guides on the internet, and as I said, Signal even has a quick guide for how to verify the APK signature on the download page
lady_mongrel
in reply to Andromxda 🇺🇦🇵🇸🇹🇼 • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to lady_mongrel • • •I know, it even says so in the post:
lady_mongrel
in reply to Andromxda 🇺🇦🇵🇸🇹🇼 • • •KnightontheSun
in reply to sic_semper_tyrannis • • •Wolfie
in reply to KnightontheSun • • •refalo
in reply to KnightontheSun • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to refalo • • •No, it's not a special "FOSS" version, it's just the official binary distributed through the Guardian Project repo (as I have proven: lemmy.dbzer0.com/comment/16230…). If you want a FOSS variant, check out Signal-FOSS or Molly, they also offer a FOSS variant. You can either download it from their custom F-Droid repo, pull the APK from GitHub using Obtainium or get it from Accrescent.
Molly
Molly Instant MessengerAndromxda 🇺🇦🇵🇸🇹🇼
2025-01-25 18:25:02
refalo
in reply to Andromxda 🇺🇦🇵🇸🇹🇼 • • •povario
in reply to KnightontheSun • • •KnightontheSun
in reply to povario • • •That is interesting. Thanks to you and the others.
Does the use of the google play services allow google to sort of…listen in or be privy to your app usage in any way?
povario
in reply to KnightontheSun • • •Google cannot see any message content of Signal notifications through FCM. It's more like a "heads up" to the Signal app, telling it "hey, there are new messsges. wake up and check what they are.". The Signal app then checks for messages and does all the decrypting and whatnot itself.
While it's possible that the timing of FCM telling the app to check for notifications could be used to correlate activity, that's an edge case that if you are concerned about can be easily avoided by just using the background WebSocket or a fork of Signal like Molly that allows you to use a third-party UnifiedPush provider to check for messages in the background, instead of FCM.
Molly
Molly Instant MessengerKnightontheSun
in reply to povario • • •JubilantJaguar
in reply to sic_semper_tyrannis • • •I have a tangential question. Would it not make sense for an OS, in this case Android, to have some proper mechanism for installing apps (in this case APKs) directly from a website (as lots of people have been doing fastidiously from signal.org by necessity)?
After all, this is all about trust. With software, assuming that you trust the developer, the goal is to be sure that nobody interfered with the developer's compiled software - and who better to guarantee that than the developer themself, at their own domain? DNS resolution is already based on the "web of trust" principle, which is why you can trust your bank's website. Arguably F-Droid performs a valuable role as a curator and selector of good software, but is there any good technical need for it to actually distribute the software?
said
in reply to JubilantJaguar • • •GitHub - ImranR98/Obtainium: Get Android app updates straight from the source.
GitHubJubilantJaguar
in reply to said • • •Yes true! Forgot about Obtainium. ~~Personally I'm not much tempted because all it does is swap out F-Droid for Github (i.e. Microsoft) as the middleman.~~ But I agree that it's definitely a win for convenience.
PS: Turns out Obtainium is source-agnostic. Good news.
said
in reply to JubilantJaguar • • •JubilantJaguar
in reply to said • • •logging_strict
in reply to said • • •refalo
in reply to JubilantJaguar • • •JubilantJaguar
in reply to refalo • • •Yep and that's exactly what we doing with Signal to avoid the Play Store. It's a bit of a PITA and it's the same on desktop. It's because they don't want third parties maintaining their packages.
My crazy utopian idea is for some kind of protocol (or equivalent) that would allow native package managers (mobile or desktop) to "plug in" to the website repos of authors, directly.
refalo
in reply to JubilantJaguar • • •JubilantJaguar
in reply to refalo • • •sic_semper_tyrannis
Unknown parent • • •scoobford
Unknown parent • • •Iirc Molly in F-droid still using FCM and the google maps API. If you want Molly-Foss, you have to use Obtanium to pull APKs from their git releases.
Edit: I was wrong, you can get it off their F-Droid repository.
Kairos
in reply to scoobford • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to sic_semper_tyrannis • • •sic_semper_tyrannis
in reply to Andromxda 🇺🇦🇵🇸🇹🇼 • • •beautiful_orca
in reply to sic_semper_tyrannis • • •Molly-FOSS is awesome and it now has UnifiedPush support built-in!
Get it with Obtainium
GitHub - mollyim/mollyim-android: Enhanced and security-focused fork of Signal.
GitHubsic_semper_tyrannis
in reply to beautiful_orca • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to sic_semper_tyrannis • • •Just make sure to set up UnifiedPush if you want to receive notifications while your Molly database is locked. I recommend the new Sunup UP distributor. I wanted to make a post about it in !unifiedpush@lemmy.dbzer0.com, but never got around to do it.
For Mollysocket, there are a few public instances. molly.adminforge.de is one of them. You can also set up your own on Fly.io, check out this repo: github.com/pcrockett/mollysock…
Or you can obviously self-host it on any VPS or hardware that you own
android
Codeberg.orgbeautiful_orca
in reply to Andromxda 🇺🇦🇵🇸🇹🇼 • • •I have my own mollysocket and ntfy, both on tailscale domains with funnel. You can restrict your mollysocket to only your ID.
What makes Sunup different from ntfy? Is it better?
Andromxda 🇺🇦🇵🇸🇹🇼
in reply to beautiful_orca • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to beautiful_orca • • •Accrescent
Accrescenttransitinoir
Unknown parent • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to scoobford • • •Accrescent
Accrescentfmstrat
in reply to sic_semper_tyrannis • • •You can also install directly from Signal via Obtainium. apps.obtainium.imranr.dev/
{"id":"org.thoughtcrime.securesms","url":"https://updates.signal.org/android/latest.json","author":"Signal","name":"Signal","preferredApkIndex":0,"additionalSettings":"{\"intermediateLink\":[],\"customLinkFilterRegex\":\"\",\"filterByLinkText\":false,\"skipSort\":false,\"reverseSort\":false,\"sortByLastLinkSegment\":false,\"versionExtractWholePage\":false,\"requestHeader\":[{\"requestHeader\":\"User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Mobile Safari/537.36\"}],\"defaultPseudoVersioningMethod\":\"partialAPKHash\",\"trackOnly\":false,\"versionExtractionRegEx\":\"\\\\d+.\\\\d+.\\\\d+\",\"matchGroupToUse\":\"\",\"versionDetection\":true,\"useVersionCodeAsOSVersion\":false,\"apkFilterRegEx\":\"\",\"invertAPKFilter\":false,\"autoApkFilterByArch\":true,\"appName\":\"\",\"shizukuPretendToBeGooglePlay\":false,\"allowInsecure\":false,\"exemptFromBackgroundUpdates\":false,\"skipUpdateNotifications\":false,\"about\":\"Signal is an open-source end to end encrypted messaging app.\"}","overrideSource":null}Obtainium Apps
apps.obtainium.imranr.dev