I just noticed today that Signal (not talking Molly) is now available on F-Droid via the “Guardian” repository.
Just wanted to give everyone a heads up.
You must log in or register to comment.
It’s weird that this isn’t mentioned on the signal website or blog? They also distribute the binary with a signature you can check there if you want a non-play store source that’s actually verifiable.
It’s probably not an official thing. F-Droid can’t distribute apps in the official repo via their own policy if the developer doesn’t agree. Third-party repos like Guardian can.
If it’s not official, how do you verify who is building the binary?
I think they ship prebuilt binaries, i.e. the exact same ones you find on the Signal website
AFAIK this also applies to Tor Browser, Orbot and other third-party apps distributed by Guardian
Edit: I downloaded the files and manually verified the signatures. They are indeed the exact same files.
Because I didn’t really know how to grab an APK from the Guardian F-Droid repo, I used their S3 bucket and downloaded the Signal APK. It’s named
Signal-Android-website-prod-universal-release-7.30.2.apk, which is the exact same file name as the one of the APK you can get from the Signal website.I then used
keytoolto print the signature certificate fingerprint: (renamed the files to make it less confusing)keytool -printcert -jarfile signal-website.apkSigner #1: Certificate #1: Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US Serial number: 4bfbebba Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045 Certificate fingerprints: SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74 SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26 Signature algorithm name: SHA1withRSA (weak) Subject Public Key Algorithm: 1024-bit RSA key (weak) Version: 3keytool -printcert -jarfile signal-guardian.apkSigner #1: Certificate #1: Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US Serial number: 4bfbebba Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045 Certificate fingerprints: SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74 SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26 Signature algorithm name: SHA1withRSA (weak) Subject Public Key Algorithm: 1024-bit RSA key (weak) Version: 3The fingerprints are identical.
Another edit: I just noticed that Signal even has official instructions for checking the signature on their APK download page. They use
apksignerinstead ofkeytool, but it’s basically the same process.Thanks for doing this!
Takes like 2 minutes 😅
You have quite a bit of background knowledge to know how to do that though, you should give yourself more credit!
Thanks, I mean I used to work as a Java developer before, and I’m quite interested in the Android platform, so I’m familiar with the SDK and build tools, and know how app signatures work
But it’s really not that hard to figure out. There are countless guides on the internet, and as I said, Signal even has a quick guide for how to verify the APK signature on the download page
Can confirm, the repository was Guardian Project
I know, it even says so in the post:
I just noticed today that Signal (not talking Molly) is now available on F-Droid via the “Guardian” repository.
Haha it would help if I could read 🤣
Perhaps a result of the proposed ban on distributing tiktok via google and apple is that some developers rethink their distribution mechanisms
Thanks. You can get it by Obtainium too.
Is there anything specifically wrong with molly. It seems more locked down by default and is fully open source. Seems better to me.
No, nothing wrong with it. I use it actually. People are used to Molly being on F-Droid so I didn’t want anyone to think that I was referencing that instead of actual Signal.
Iirc Molly in F-droid still using FCM and the google maps API. If you want Molly-Foss, you have to use Obtanium to pull APKs from their git releases.
Edit: I was wrong, you can get it off their F-Droid repository.
No. You can use their f-droid repo to get molly-foss
You can also get it from Accrescent
bpH_!mjK4!2&EZmu8xa8ZHUDs2@+s?bsBd2UeZ+M5yN7D?KuqJMWL?+y8-J3$9wm_dq8g&N##@j4p?bh_B=j4%3n+FuRS9cgbmTPfcj&a2V3JxTbaXEEJ2#kQV%xNpF63z%%p2QA2jB8ven3Z4@nSWXfvU#au@rP5!z&Tx*Anat?bgWZrE!eLtfZ9pYgS&DAh&pSY$GQfMEVtkUw@mVQpDZaAzq#B9*uapn=cgbCz6K7v&R$YTwPvDXVvpbzDtkXdykFZ!Er7f-&t?yq5%33VmATcxYj%7JJ!79w$kwvd5SZjJ?Hg%dhMTkKYq+nxk#nZ_x7SpV6xtSW3VUj74eK$z?uNVFY!Z_WBYDB3y_Hg9RA&sVZJd@9?vMqE9Hw=P*?DPakHL?U#h4GDeu#PFTjJpD!4MbjVp?hJj&3AEsW9U_=pCvEjqSWyc8BWXY$qf#3QH4FxkcXD62WPC&jcDwqm$FdEuR3htA2qA?u=MqdR&jv!47rNsD9eAUna=6?VU@ZS5ukBwfcT!3mv@j-8ad_jz8&ANgE@a_DS!GYnU2pBuLaAL66g85b=NsFUdmCe?k7XH!y±ThK*pGr_JBuZznE?vgYW%T*AJ5EkkE@sPtzqdhKEdz!e=ATCXthJ4Ty7H+Saz-Jc$StQ8DZyFE$2L&-pX&J3*af*Cm*WGXD38s8cnLvX$=Pdq-bfq3?a5gYDT5CxxKQs5?4nk7nD%CUL7#bMVR5-3?dGM2esDFnwWCWcyx4Ep8VLWh%WELmy!_7Wc#w?aMjHu8RHyFq6Vn-*jT?nCs=+@J3e$T#aUQxZGfndFxg4hsAbV4GkUz*ta%#TQT7c%zxB2px-ZCXHP-#TyNP4+E3a4zqwgcThnZA=pN9BTURhTM5sBqjurggbft6kbB!Pk_3C$uC6n+=bVJ&g73!54Aq?j5r8+e!qt$FQnn?6Ev3T9wkBsWdG$7TQSctK98YzFxBt$!C&t%aKKM%$K65H6bbXs7Mjg%PD
Please rename the thread to “Signal in the Guardian project F-Droid repo” or something like that to avoid confusion, because as you have noticed, it’s not available in the main F-Droid repo, just in the third-party repo maintained by the Guardian project
Done
Molly-FOSS is awesome and it now has UnifiedPush support built-in!
Get it with Obtainium
Woah that’s awesome to hear about the FOSS variant. I’ll switch over to that version now
Just make sure to set up UnifiedPush if you want to receive notifications while your Molly database is locked. I recommend the new Sunup UP distributor. I wanted to make a post about it in !unifiedpush@lemmy.dbzer0.com, but never got around to do it.
For Mollysocket, there are a few public instances. molly.adminforge.de is one of them. You can also set up your own on Fly.io, check out this repo: https://github.com/pcrockett/mollysocket-fly
Or you can obviously self-host it on any VPS or hardware that you ownI have my own mollysocket and ntfy, both on tailscale domains with funnel. You can restrict your mollysocket to only your ID.
What makes Sunup different from ntfy? Is it better?
The Ntfy Android app hasn’t been updated in almost a year, and in my experience it consumes more battery than Sunup.
Or via Accrescent
I was gonna say, I got Molly-FOSS from F-droid, but I actually had to go back and check. It checks out though. I did also get obtainium so I can keep a better eye on updates and actually check the changes on git before updating something as important as secure, encrypted coms. Also I figured I should really start checking the signature each update from now on.
You can also install directly from Signal via Obtainium. https://apps.obtainium.imranr.dev/
{"id":"org.thoughtcrime.securesms","url":"https://updates.signal.org/android/latest.json","author":"Signal","name":"Signal","preferredApkIndex":0,"additionalSettings":"{\"intermediateLink\":[],\"customLinkFilterRegex\":\"\",\"filterByLinkText\":false,\"skipSort\":false,\"reverseSort\":false,\"sortByLastLinkSegment\":false,\"versionExtractWholePage\":false,\"requestHeader\":[{\"requestHeader\":\"User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Mobile Safari/537.36\"}],\"defaultPseudoVersioningMethod\":\"partialAPKHash\",\"trackOnly\":false,\"versionExtractionRegEx\":\"\\\\d+.\\\\d+.\\\\d+\",\"matchGroupToUse\":\"\",\"versionDetection\":true,\"useVersionCodeAsOSVersion\":false,\"apkFilterRegEx\":\"\",\"invertAPKFilter\":false,\"autoApkFilterByArch\":true,\"appName\":\"\",\"shizukuPretendToBeGooglePlay\":false,\"allowInsecure\":false,\"exemptFromBackgroundUpdates\":false,\"skipUpdateNotifications\":false,\"about\":\"Signal is an open-source end to end encrypted messaging app.\"}","overrideSource":null}
