Gregory's Server@briankrebs The best part is the flatpak origin is unverified :D https://flathub.org/apps/org.signal.Signal
And I confirm I cannot find any hash or signature on their website.
|
19 comments
 That Flatpak package, linked above in this thread, is unofficial. Our official download instructions for Linux tell people how to install our APT key, and every release is signed. I'm assuming Brian Krebs' original is referring to macOS. Our releases are signed on macOS and Windows too. 💐  @Mer__edith Why not take ownership of the Flatpak then? Only Debian-based distributions use apt, but Flatpak works on damn near everything. @Mer__edith  @x_cli @apicultor @briankrebs Oh, damn, I’m using the Flatpak package on Fedora because of that (I thought it was the official package). Better than a takedown, would Signal be able to take it over and make it official, please, @Mer__edith? We can’t run apt packages on Fedora, etc. Barring that, yeah, it should either be taken down or marked as unofficial. @aral @aral @x_cli @apicultor @briankrebs @Mer__edith It's marked as unofficial quite clearly on Flathub but this is a confusion point I've seen before with store fronts like GNOME Software & co, which don't pass through that clear visual to the end-user. I definitely echo the suggestion though. It would be good if Signal would officially take over the Flatpak maintenance. It would help make Signal more (officially) accessible on distros other than Debian/Ubuntu. @alexhaydock @x_cli @apicultor @briankrebs @Mer__edith Yeah, I almost never hit the Flathub site. GNOME software not displaying the verification state at the top is quite a security issue. As is having Signal Foundation as the owner. All this time I thought I was using the official Signal flatpak.  @Mer__edith @apicultor @x_cli Thanks for your reply, Meredith. Yes, I was referring to the Mac version. Does Signal publish information about how users can verify downloads? 1/2 Thanks for the suggestion. This is something that we could potentially add to the Support Center. It would also be great if macOS made this information more readily accessible outside of the terminal. @Mer__edith @briankrebs @apicultor @x_cli Patrick Wardle wrote a small macOS extension to add UI for this https://objective-see.org/products/whatsyoursign.html @Mer__edith @apicultor @x_cli @briankrebs apt, so Debian, yes. But what about non-Debian based systems? Rumor has it that they exist. For me there is no verifiable installation of the program because I am not in the Debian family. And that is indeed a problem.  @maswaba @Mer__edith @apicultor @x_cli @briankrebs a signed RPM for the Red Hat/Fedora/CentOS/SUSE/Alma/Rocky crowd isn’t too complex to add, IMHO. Happy to help facilitate that, if wanted.  @Mer__edith @apicultor @x_cli @briankrebs maybe see if @popey or some one can get the flatpack pulled down then because looks official but is also terrible @falken @Mer__edith @apicultor @x_cli @briankrebs Nothing to do with me. There's a github link from the flathub repo if you wanna go wild. The snap is unofficial too, but that builds from source rather than repacking the deb. Not that it makes a whole heap of difference. Both have 100K+ users so I guess some people trust them. @Mer__edith@mastodon.world @apicultor@hachyderm.io @x_cli@infosec.exchange @briankrebs@infosec.exchange Could you please publish an official flatpak? Some of us use immutable distro for both stability and security reasons rendering these instructions moot. @x_cli I love how there's a yellow "unverified" indicator, but hovering or clicking on that does nothing. how unuseful |
@x_cli This is a really bad look, and it's gone on for YEARS now.
@Mer__edith Any insight?
@briankrebs