Embed Notice
HTML Code
Corresponding Notice
- Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Tuesday, 17-Sep-2024 01:05:31 JST翠星石 @briankrebs A hash alone is only useful to check for corruption - any competent attacker will update the hash as well.
Signal does sign their Debian systemd/Linux archives with gnupg; https://signal.org/download/linux/
Generally this is why you use a package manager on GNU rather than installing arbitrary binaries - people go and check the software to some degree, hash it and put a signature on the hash and that signature and hash is verified on install.
I'm dubious about signal-desktop, as it's not published in source code form on Gentoo - there's only a -bin version that ships the .deb.
To be honest, signal-desktop is completely useless, as it is just a proxy to signal on a demon rectangle.