Conversation

Notices

1. Embed this notice
   BrianKrebs (briankrebs@infosec.exchange)'s status on Tuesday, 17-Sep-2024 01:05:31 JST BrianKrebs

   Anyone know if Signal publishes the SHA-1 (or some hash) of its desktop versions? I don't like installing critical apps like this without verifying their integrity.

   I know I'm showing my age in a Man Shakes Fist at Cloud way, but it wasn't so long ago that software makers actually published this information on their downloads page.

   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Tuesday, 17-Sep-2024 01:05:31 JST 翠星石

     in reply to
     @briankrebs A hash alone is only useful to check for corruption - any competent attacker will update the hash as well.
     
     Signal does sign their Debian systemd/Linux archives with gnupg; https://signal.org/download/linux/
     
     Generally this is why you use a package manager on GNU rather than installing arbitrary binaries - people go and check the software to some degree, hash it and put a signature on the hash and that signature and hash is verified on install.
     
     I'm dubious about signal-desktop, as it's not published in source code form on Gentoo - there's only a -bin version that ships the .deb.
     
     To be honest, signal-desktop is completely useless, as it is just a proxy to signal on a demon rectangle.