I just noticed today that Signal (not talking Molly) is now available on F-Droid via the “Guardian” repository.
Just wanted to give everyone a heads up.
You must log in or register to comment.
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
- Don’t promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 124 users / day
- 1.05K users / week
- 1.3K users / month
- 4.58K users / 6 months
- 1 subscriber
- 3.35K Posts
- 85.2K Comments
- Modlog
You can also install directly from Signal via Obtainium. https://apps.obtainium.imranr.dev/
{"id":"org.thoughtcrime.securesms","url":"https://updates.signal.org/android/latest.json","author":"Signal","name":"Signal","preferredApkIndex":0,"additionalSettings":"{\"intermediateLink\":[],\"customLinkFilterRegex\":\"\",\"filterByLinkText\":false,\"skipSort\":false,\"reverseSort\":false,\"sortByLastLinkSegment\":false,\"versionExtractWholePage\":false,\"requestHeader\":[{\"requestHeader\":\"User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Mobile Safari/537.36\"}],\"defaultPseudoVersioningMethod\":\"partialAPKHash\",\"trackOnly\":false,\"versionExtractionRegEx\":\"\\\\d+.\\\\d+.\\\\d+\",\"matchGroupToUse\":\"\",\"versionDetection\":true,\"useVersionCodeAsOSVersion\":false,\"apkFilterRegEx\":\"\",\"invertAPKFilter\":false,\"autoApkFilterByArch\":true,\"appName\":\"\",\"shizukuPretendToBeGooglePlay\":false,\"allowInsecure\":false,\"exemptFromBackgroundUpdates\":false,\"skipUpdateNotifications\":false,\"about\":\"Signal is an open-source end to end encrypted messaging app.\"}","overrideSource":null}Is there anything specifically wrong with molly. It seems more locked down by default and is fully open source. Seems better to me.
bpH_!mjK4!2&EZmu8xa8ZHUDs2@+s?bsBd2UeZ+M5yN7D?KuqJMWL?+y8-J3$9wm_dq8g&N##@j4p?bh_B=j4%3n+FuRS9cgbmTPfcj&a2V3JxTbaXEEJ2#kQV%xNpF63z%%p2QA2jB8ven3Z4@nSWXfvU#au@rP5!z&Tx*Anat?bgWZrE!eLtfZ9pYgS&DAh&pSY$GQfMEVtkUw@mVQpDZaAzq#B9*uapn=cgbCz6K7v&R$YTwPvDXVvpbzDtkXdykFZ!Er7f-&t?yq5%33VmATcxYj%7JJ!79w$kwvd5SZjJ?Hg%dhMTkKYq+nxk#nZ_x7SpV6xtSW3VUj74eK$z?uNVFY!Z_WBYDB3y_Hg9RA&sVZJd@9?vMqE9Hw=P*?DPakHL?U#h4GDeu#PFTjJpD!4MbjVp?hJj&3AEsW9U_=pCvEjqSWyc8BWXY$qf#3QH4FxkcXD62WPC&jcDwqm$FdEuR3htA2qA?u=MqdR&jv!47rNsD9eAUna=6?VU@ZS5ukBwfcT!3mv@j-8ad_jz8&ANgE@a_DS!GYnU2pBuLaAL66g85b=NsFUdmCe?k7XH!y±ThK*pGr_JBuZznE?vgYW%T*AJ5EkkE@sPtzqdhKEdz!e=ATCXthJ4Ty7H+Saz-Jc$StQ8DZyFE$2L&-pX&J3*af*Cm*WGXD38s8cnLvX$=Pdq-bfq3?a5gYDT5CxxKQs5?4nk7nD%CUL7#bMVR5-3?dGM2esDFnwWCWcyx4Ep8VLWh%WELmy!_7Wc#w?aMjHu8RHyFq6Vn-*jT?nCs=+@J3e$T#aUQxZGfndFxg4hsAbV4GkUz*ta%#TQT7c%zxB2px-ZCXHP-#TyNP4+E3a4zqwgcThnZA=pN9BTURhTM5sBqjurggbft6kbB!Pk_3C$uC6n+=bVJ&g73!54Aq?j5r8+e!qt$FQnn?6Ev3T9wkBsWdG$7TQSctK98YzFxBt$!C&t%aKKM%$K65H6bbXs7Mjg%PD
No, nothing wrong with it. I use it actually. People are used to Molly being on F-Droid so I didn’t want anyone to think that I was referencing that instead of actual Signal.
I have a tangential question. Would it not make sense for an OS, in this case Android, to have some proper mechanism for installing apps (in this case APKs) directly from a website (as lots of people have been doing fastidiously from signal.org by necessity)?
After all, this is all about trust. With software, assuming that you trust the developer, the goal is to be sure that nobody interfered with the developer’s compiled software - and who better to guarantee that than the developer themself, at their own domain? DNS resolution is already based on the “web of trust” principle, which is why you can trust your bank’s website. Arguably F-Droid performs a valuable role as a curator and selector of good software, but is there any good technical need for it to actually distribute the software?
Not exactly answering your question but you can use the app Obtainium to fetch the apk URL from a website/github repo and many other sources to install directly. It also supports fdroid repos and many other sources out of the box. Kinda half way what you mentioned in your first paragraph.
Yes true! Forgot about Obtainium.
Personally I’m not much tempted because all it does is swap out F-Droid for Github (i.e. Microsoft) as the middleman.But I agree that it’s definitely a win for convenience.PS: Turns out Obtainium is source-agnostic. Good news.
Of course Github is just an example but you can pretty much regex any URL and further filter out anything in order to get the apk link with it. So depending on your level of privacy requirement and trusted sources, you can skip all the centralized ones and build your own list of sources.
So it does! OK so this is pretty close to a decent solution after all (the ideal one being IMO exactly the same thing but native to the OS). Thanks for the correction.
Please forgive if this is a stupid question, but what is the difference between the play store version and this? Assuming it is not altered by a bad actor.
I would hope the difference is that the f-droid version does not contain any proprietary code.
No, it’s not a special “FOSS” version, it’s just the official binary distributed through the Guardian Project repo (as I have proven: https://lemmy.dbzer0.com/comment/16230276). If you want a FOSS variant, check out Signal-FOSS or Molly, they also offer a FOSS variant. You can either download it from their custom F-Droid repo, pull the APK from GitHub using Obtainium or get it from Accrescent.
As i recall, ALL apps in google play store, have to have some sort of google shit embedded into it. Therefore, its better to download something outside of google if you want to remain degoogled.
It’s weird that this isn’t mentioned on the signal website or blog? They also distribute the binary with a signature you can check there if you want a non-play store source that’s actually verifiable.
It’s probably not an official thing. F-Droid can’t distribute apps in the official repo via their own policy if the developer doesn’t agree. Third-party repos like Guardian can.
Can confirm, the repository was Guardian Project
I know, it even says so in the post:
Haha it would help if I could read 🤣
If it’s not official, how do you verify who is building the binary?
I think they ship prebuilt binaries, i.e. the exact same ones you find on the Signal website
AFAIK this also applies to Tor Browser, Orbot and other third-party apps distributed by Guardian
Edit: I downloaded the files and manually verified the signatures. They are indeed the exact same files.
Because I didn’t really know how to grab an APK from the Guardian F-Droid repo, I used their S3 bucket and downloaded the Signal APK. It’s named
Signal-Android-website-prod-universal-release-7.30.2.apk, which is the exact same file name as the one of the APK you can get from the Signal website.I then used
keytoolto print the signature certificate fingerprint: (renamed the files to make it less confusing)The fingerprints are identical.
Another edit: I just noticed that Signal even has official instructions for checking the signature on their APK download page. They use
apksignerinstead ofkeytool, but it’s basically the same process.Thanks for doing this!
Takes like 2 minutes 😅