I just noticed today that Signal (not talking Molly) is now available on F-Droid via the “Guardian” repository.
Just wanted to give everyone a heads up.
I just noticed today that Signal (not talking Molly) is now available on F-Droid via the “Guardian” repository.
Just wanted to give everyone a heads up.
It’s probably not an official thing. F-Droid can’t distribute apps in the official repo via their own policy if the developer doesn’t agree. Third-party repos like Guardian can.
Can confirm, the repository was Guardian Project
I know, it even says so in the post:
Haha it would help if I could read 🤣
If it’s not official, how do you verify who is building the binary?
I think they ship prebuilt binaries, i.e. the exact same ones you find on the Signal website
AFAIK this also applies to Tor Browser, Orbot and other third-party apps distributed by Guardian
Edit: I downloaded the files and manually verified the signatures. They are indeed the exact same files.
Because I didn’t really know how to grab an APK from the Guardian F-Droid repo, I used their S3 bucket and downloaded the Signal APK. It’s named
Signal-Android-website-prod-universal-release-7.30.2.apk, which is the exact same file name as the one of the APK you can get from the Signal website.I then used
keytoolto print the signature certificate fingerprint: (renamed the files to make it less confusing)Signer #1: Certificate #1: Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US Serial number: 4bfbebba Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045 Certificate fingerprints: SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74 SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26 Signature algorithm name: SHA1withRSA (weak) Subject Public Key Algorithm: 1024-bit RSA key (weak) Version: 3Signer #1: Certificate #1: Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US Serial number: 4bfbebba Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045 Certificate fingerprints: SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74 SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26 Signature algorithm name: SHA1withRSA (weak) Subject Public Key Algorithm: 1024-bit RSA key (weak) Version: 3The fingerprints are identical.
Another edit: I just noticed that Signal even has official instructions for checking the signature on their APK download page. They use
apksignerinstead ofkeytool, but it’s basically the same process.Thanks for doing this!
Takes like 2 minutes 😅