 Anyone know if Signal publishes the SHA-1 (or some hash) of its desktop versions? I don't like installing critical apps like this without verifying their integrity. I know I'm showing my age in a Man Shakes Fist at Cloud way, but it wasn't so long ago that software makers actually published this information on their downloads page. 42 comments
@briankrebs Homebrew (Cask) uses them for verification on the macOS desktop version, but I don't see where these are sourced from. Last time I contributed, users were expected to provide a reference for these values but it appears that requirement has been removed/relaxed https://github.com/Homebrew/homebrew-cask/blame/master/Casks/s/signal.rb  @briankrebs The Windows installer is digitally signed by "Signal Messenger, LLC" – you can verify the signature by right-clicking the file → Properties → Digital Signatures tab → double-click the signature. @briankrebs The best part is the flatpak origin is unverified :D https://flathub.org/apps/org.signal.Signal And I confirm I cannot find any hash or signature on their website.  @x_cli This is a really bad look, and it's gone on for YEARS now. @Mer__edith Any insight?  That Flatpak package, linked above in this thread, is unofficial. Our official download instructions for Linux tell people how to install our APT key, and every release is signed. I'm assuming Brian Krebs' original is referring to macOS. Our releases are signed on macOS and Windows too. 💐 @Mer__edith Why not take ownership of the Flatpak then? Only Debian-based distributions use apt, but Flatpak works on damn near everything. @Mer__edith  @x_cli @apicultor @briankrebs Oh, damn, I’m using the Flatpak package on Fedora because of that (I thought it was the official package). Better than a takedown, would Signal be able to take it over and make it official, please, @Mer__edith? We can’t run apt packages on Fedora, etc. Barring that, yeah, it should either be taken down or marked as unofficial. @aral @aral @x_cli @apicultor @briankrebs @Mer__edith It's marked as unofficial quite clearly on Flathub but this is a confusion point I've seen before with store fronts like GNOME Software & co, which don't pass through that clear visual to the end-user. I definitely echo the suggestion though. It would be good if Signal would officially take over the Flatpak maintenance. It would help make Signal more (officially) accessible on distros other than Debian/Ubuntu. @alexhaydock @x_cli @apicultor @briankrebs @Mer__edith Yeah, I almost never hit the Flathub site. GNOME software not displaying the verification state at the top is quite a security issue. As is having Signal Foundation as the owner. All this time I thought I was using the official Signal flatpak. @Mer__edith @apicultor @x_cli Thanks for your reply, Meredith. Yes, I was referring to the Mac version. Does Signal publish information about how users can verify downloads? 1/2 Thanks for the suggestion. This is something that we could potentially add to the Support Center. It would also be great if macOS made this information more readily accessible outside of the terminal. @Mer__edith @briankrebs @apicultor @x_cli Patrick Wardle wrote a small macOS extension to add UI for this https://objective-see.org/products/whatsyoursign.html @Mer__edith @apicultor @x_cli @briankrebs apt, so Debian, yes. But what about non-Debian based systems? Rumor has it that they exist. For me there is no verifiable installation of the program because I am not in the Debian family. And that is indeed a problem.  @maswaba @Mer__edith @apicultor @x_cli @briankrebs a signed RPM for the Red Hat/Fedora/CentOS/SUSE/Alma/Rocky crowd isn’t too complex to add, IMHO. Happy to help facilitate that, if wanted.  @Mer__edith @apicultor @x_cli @briankrebs maybe see if @popey or some one can get the flatpack pulled down then because looks official but is also terrible @falken @Mer__edith @apicultor @x_cli @briankrebs Nothing to do with me. There's a github link from the flathub repo if you wanna go wild. The snap is unofficial too, but that builds from source rather than repacking the deb. Not that it makes a whole heap of difference. Both have 100K+ users so I guess some people trust them. @Mer__edith@mastodon.world @apicultor@hachyderm.io @x_cli@infosec.exchange @briankrebs@infosec.exchange Could you please publish an official flatpak? Some of us use immutable distro for both stability and security reasons rendering these instructions moot. @x_cli I love how there's a yellow "unverified" indicator, but hovering or clicking on that does nothing. how unuseful @briankrebs According to https://www.virustotal.com/gui/file/c1bcbc47df990fdd6df4a22821921020c7a10a4288a5a8bb5a5b167289b80ee8/details the Windows installer from https://www.virustotal.com/gui/url/4ea2cb529e36f869994c7b1b7d793be02ce94dcccd0a7ba4f5f674f845446d11 is digitally signed. Not sure if that, or any of the signers, count. @briankrebs On the other hand, https://updates.signal.org/desktop/apt/keys.asc signed https://updates.signal.org/desktop/apt/dists/xenial/Release as https://updates.signal.org/desktop/apt/dists/xenial/Release.gpg, which in turn matches https://updates.signal.org/desktop/apt/dists/main/binary-amd64/Packages and https://updates.signal.org/desktop/apt/pool/s/signal-desktop/signal-desktop_7.24.1_amd64.deb @briankrebs apparently not. There is a long thread on this started years ago.  @briankrebs By necessity on linuxes they're signed: I don't like installing extra signing keys into my debian keyring, but they run a repo, which is better than e.g. discord. @briankrebs@infosec.exchange @notecharlie@social.bigcavemaps.com If you put a file like this https://asymptote.club/~pmc/apt/asymptote.sources into your /etc/apt/sources.list.d you can provide a key for just that one repo @briankrebs the arch Linux package build lists hashes [1]. I do not know where they got them from (@archlinux ?) but it provides some frame of reference at least @briankrebs You can mount the .dmg on macOS and use a combination of codesign and spctl on Signal.app in the terminal to verify that it comes signed with an Apple DeveloperID and that the contents haven't been modified after signing. But that's as far as I got. @briankrebs as a Young Man Who Doesn't Understand Cloud, I never understood the security model for these. It's likely that I downloaded the software and the hash from the same place (their website), how can that help me determine if the website is compromised ?  @butorzigzag @briankrebs It ensures that the executable you run is the same as the one the author released -- not one that was subsequently subtly altered (eg via MITM or maybe a later malicious repo upload) @dragonsidedd @butorzigzag @briankrebs no it doesn’t, because a threat actor who compromises the author’s website can change both the executable and the published hash @whereami @butorzigzag @briankrebs That's true, and if it's in your threat model, you'll want to wait for caches like internet archive or google/bing to check against  @briankrebs  @briankrebs open source projects typically do this for their downloads. Makes one wonder why everyone doesn't. I recall webpages with more than one hash tied to the download file. Even PGP Signatures. Apparently, web site maintenance is too expensive. |
Gregory's Server
@briankrebs do not install as root lol #shadow passwords