Signal escrowed app signing keys

Questions
1

Does Signal do anything to prevent targeted updates being served to users via Google Play or the Apple App Store considering they do not solely control the signing keys in both cases?

Proton is moving most of its physical infrastructure out of Switzerland
2

In the case the threat model involves a compromised Google, then the pre-installed Play Services (real-time notifications, for example) and the base OS itself are suspect. And for Pixels, the entire hardware.

From what I can tell, what Signalā€™s doing (for Android) seems like the best they can do:

May be @maqp knows more (about iOS or generally), so tagging them.

2 Likes
3

As far as Iā€™m aware, none of that applies to iOS/Signal-iOS.

Direct download of their universal apk.

Might be nice if they also published the signing certificate hash somewhere other than only the webpage you can source the hidden APK from.

Apparently, their apks can be built reproducibly.

Do they promote community efforts to reproduce the builds and publish that verification information prominently on their socials/website?

Ultimately as a casual observer I donā€™t have any real idea what it takes for a communication software project to be resistant to state actors. However, I donā€™t think it is the case that Signal are particularly paranoid about this (purely from an app delivery/distribution/censorship perspective). They do seem quite cautious about other things like ā€˜secure value recoveryā€™ though.

1 Like
4

Not really my area of expertise. But I have in the past once pulled the Google play store downloaded Signal from Android phone with adb, and compared its hash against reproducible build of Signal with their comparison script and it matched. It was maybe 2018 but I donā€™t see why you couldnā€™t still do that.

1 Like
5

Iā€™m mostly thinking about this in terms of scaling this as a useful signal to Signalā€™s intended audience. They probably wonā€™t be building the app themselves or going through the efforts required to build it reproducibly. Youā€™re right that some sort of verification of independent building parties would be needed for it to be useful.

2 Likes
6

Mostly for my own reference since I dislike looking for links I have previously seen:

Signal quoted using reproducible builds and code transparency to mitigate the Play App Signing issue here:

Hey folks, I know thereā€™s some concerns around Play Store signing. Unfortunately, we were in a situation where we were using a 1024-bit key, which is not quite good enough by modern standards, and we wanted to upgrade it to a 4096-bit key. Android has a mechanism to do this on newer API levels by dual-signing the APKs. Simple enough. Unfortunately, the Play Store does not allow you to distribute dual-signed APKs unless youā€™re opted into Play Store signing. So we were stuck between a rock and a hard place.

The good news is that thereā€™s updated reproducible build steps that let you verify all the same things about how the app was built. Thereā€™s also a new ā€œcode transparencyā€ quick check you can do to verify the code-parts of the APK are unchanged from what we uploaded without having to go through the whole reproducible build process.

Weā€™ll continue to think of other things we can do to help alleviate the issue.

Signal teasing alternative distribution methods here:

Now that Signal uses Github releases, why not put an apk there too?

That is one idea, but weā€™re exploring some other distribution ideas that I think people will be very pleased with.

Signal recently started publishing APKs on Github apparently. Long may the centralisation of software development and distribution on Github continue..

Thereā€™s multiple ways to get a Signal-signed APK these days. First, as previously mentioned, you can use Signal >> Signal Android APK, which has a self-updating mechanism. Alternatively, you can use Obtainium and point it to our Github repo, where we also publish signed releases, and you can have it manage your updates. We provide instructions on the forum.

Regarding the security model, historically F-Droid required that it signed the builds themselves. This honestly never felt great, because if theyā€™re in charge of signing, they could change the APK however they wanted. Since then, F-Droid allowed the ability to self-sign, so long as your builds passed their reproducibility rules. Thatā€™s pretty cool, but honestly not the most fun thing to setup.

Of course, in the meantime, Google Play has required the ability to sign our APK too, so in that way itā€™s sort of a wash. There is a new Code Transparency certificate system thatā€™s a pseudo-replacement, but you have to manually check it.

But F-Droid is also in a lot of trouble in general with the new requirements Google is pushing around developer registration. You can read F-Droidā€™s latest stance on their blog. They have a few options, but theyā€™re all bad. It goes without saying that the new developer registration rules are really terrible for many reasons, and it sucks that F-Droid is in a weird spot.

1 Like
7

Ouch.

Not speaking for the collective, but personally, as someone whoā€™s been continually asked to move to codeberg or src.ht, I can attest that the freebies from GitHub are too good to ignore.

For FOSS projects that arenā€™t awash in money, all that (however awful) CI/CD infrastructure to go with code & project (issues) hosting for free is god sent.

It is scary, but I get annoyed at having to code without assistance from LLMs Copilot, the Pro version of which is offered for free to developers of ā€œpopularā€[1] FOSS projects using GitHub.

Lastly, GitHub Sponsors is undeniably a frictionless way of getting money through the door. For our projects, we draw ~Ā£50/mo (which is like only Ā£1450 short of our monthly needs) which otherwise would be Ā£0. For context, GitHub Sponsorā€™s ~Ā£50/mo is 50% of all our projectā€™s sponsorship from all other placements combined.

(Also, for some reason, this comment was not moved, and so, copy pasting):

Thatā€™s more of an indictment of iOS than of Signal. And yet, youā€™d see some claim thereā€™s no real difference.

Unsure, but the mechanism exists, regardless.

I mean, youā€™re quite well-versed (:

ā€¦ as a non-practioner, I donā€™t either; but from their technical & political blog posts over the years, it does seem like they do care about state actors.[2][3] That said, Signal has been very clear that they draw the line at ā€œusable securityā€.[4] For instance, sticking with phone numbers as the sole enrollment mechanism (despite the costs; apparently ā€œregistrationsā€ via SMS costs Signal 2x more than what they pay for bandwidth).

The positive I see is, their client apps provide weaker guarantees relative to Signalā€™s server-side deployments, sure, but at least there exist indicators of compromise (reproducibility / code transparency for Android) and alternative access (for iOS users via Signal Desktop?).

  1. Unsure show they define ā€œpopularā€. ā†©ļøŽ

  2. Signal is not made for pristine academic speculation, it is made to be used by real people, all over the world. And many millions do use it, turning to Signal for a safe and pleasant space where intimate, experimental, and private communication can happen outside of the surveillant gaze of dominant tech companies and states who can and do subpoena their data. Signal >> Blog >> A Message from Signal's New President ā†©ļøŽ

  3. In the midst of world-wide protests against racism and police brutality, a lot of people are becoming more immediately aware and concerned about the security of their data and online communication. Weā€™ve gotten a lot of questions at Signal over the past week, so we wanted to briefly recap how it is that weā€™ve designed Signal, and how we think about concepts like privacy, security, and trust. What if the worst should happen, and some unauthorized party were to compromise Signal? Signal >> Blog >> Looking back at how Signal works, as the world moves forward ā†©ļøŽ

  4. From the beginning, the team behind Signal put people and their needs at the core of their commitments. They understood that iron-clad security is fairly pointless if people canā€™t use, access, or feel comfortable with it. In other words, if my friends wonā€™t use a messaging app, it doesnā€™t work as a messaging app. It works as a thought experiment, at best. Understanding this, Signalā€™s developers and designers created an app that honors peopleā€™s needs and expectations, while maintaining strict privacy promises. This is something thatā€™s incredibly difficult to do, and that reflects significant vision and humility. Signal >> Blog >> A Message from Signal's New President ā†©ļøŽ

1 Like
8

My response was also just flagged and not shifted, not sure why @moderators , the flagging message is unhelpful (it says offtopic, yet other comments were moved and mine was not).

Reproducing below:

People do it, and flag diffs to their team (see here). I am not sure if anyone publishes it. I do think that publishing that would be useless, since a bad actor (if signal was one) would simply pretend to be another person online and post false reproducibility information. The best way to ensure that is to build it yourself.

Yes, Apple is the reason Signal is not reproducible on iOS.

I also missed your response entirely @ignoramous , would be happy to see it here or in the DMs if you are up to reproducing it or remembering it. I maintain an archive of all my digital footprint, so I can add it to my own archives at least if itā€™s censored/removed for CoC violation here.