If you own a Android Phone, and you want to use Signal instead of Whatsapp or Telegram for privacy matters, and, for the same privacy matters, you don’t have a Google Account on your phone, or you don’t use Google Play but the free F-Droid, their is a solution. You can download the Signal APK from their website: https://signal.org/android/apk/
They give a warning:
Advanced users with special needs can download the Signal APK directly. Most users should not do this under normal circumstances.
What a normal circumstances these days? You can’t trust Facebook anymore, maybe you can trust Google, but you don’t wanna trust Google, because trusting Google is telling Google where you are, what you do, what you say, what and who you see and who your friends are.
It’s not a matter of trust, it’s a matter of privacy and decency that you don’t do that.
So downloading the Signal APK is probably what you should do these days. But how to be sure you download the real one?
The websites tells you to verify the signing certificate on the APK matches this SHA256 fingerprint. Unfortunately they don’t tell you how to do that.
Verify the signing certificate on the Signal APK.
This one-liner will show you the SHA256 Fingerprint that has to be checked:
unzip -p Signal-website-release-4.31.6.apk META-INF/SIGNAL_S.RSA > /tmp/tmp.cert ; keytool -printcert -file /tmp/tmp.cert
You get this output:
Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Serial number: 4bfbebba
Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045
Certificate fingerprints:
SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: RSA (1024)
Version: 3
As you can see the SHA256 is the same fingerprint as on the Signal download page.
It’s verified. The Signal apk is safe to use now.
Tags: android
August 2nd, 2019 at 12:05 pm
Bullshit. Doesn’t work.
August 2nd, 2019 at 2:47 pm
You’re wrong. It does. Dependency keytool, which is part of java, so you need `openjdk-13-jre-headless`
unzip -p Signal-website-universal-release-4.44.7.apk META-INF/SIGNAL_S.RSA > /tmp/tmp.cert ; keytool -printcert -file /tmp/tmp.cert
Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Serial number: 4bfbebba
Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045
Certificate fingerprints:
SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 1024-bit RSA key
Version: 3
December 5th, 2019 at 6:07 pm
Yep, this works. Thanks.
Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045
Certificate fingerprints:
SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 1024-bit RSA key