Anyone know if Signal publishes the SHA-1 (or some hash) of its desktop versions?
-
Anyone know if Signal publishes the SHA-1 (or some hash) of its desktop versions? I don't like installing critical apps like this without verifying their integrity.
I know I'm showing my age in a Man Shakes Fist at Cloud way, but it wasn't so long ago that software makers actually published this information on their downloads page.
-
@briankrebs The best part is the flatpak origin is unverified https://flathub.org/apps/org.signal.Signal
And I confirm I cannot find any hash or signature on their website.
-
@x_cli This is a really bad look, and it's gone on for YEARS now.
@Mer__edith Any insight?
-
Meredith Whittakerreplied to Apicultor π last edited by
That Flatpak package, linked above in this thread, is unofficial.
Our official download instructions for Linux tell people how to install our APT key, and every release is signed.
I'm assuming Brian Krebs' original is referring to macOS. Our releases are signed on macOS and Windows too.
-
Marcus Schwarz πͺπΊreplied to Meredith Whittaker last edited by
@Mer__edith @apicultor @x_cli @briankrebs apt, so Debian, yes. But what about non-Debian based systems? Rumor has it that they exist. For me there is no verifiable installation of the program because I am not in the Debian family. And that is indeed a problem.
-
Jan Wildeboer π·:krulorange:replied to Marcus Schwarz πͺπΊ last edited by [email protected]
@maswaba @Mer__edith @apicultor @x_cli @briankrebs a signed RPM for the Red Hat/Fedora/CentOS/SUSE/Alma/Rocky crowd isnβt too complex to add, IMHO. Happy to help facilitate that, if wanted.