Signal on F-droid Guardian Repo

I just noticed today that Signal (not talking Molly) is now available on F-Droid via the "Guardian" repository.

Just wanted to give everyone a heads up.

46 comments

You can also install directly from Signal via Obtainium. https://apps.obtainium.imranr.dev/
{"id":"org.thoughtcrime.securesms","url":"https://updates.signal.org/android/latest.json","author":"Signal","name":"Signal","preferredApkIndex":0,"additionalSettings":"{\"intermediateLink\":[],\"customLinkFilterRegex\":\"\",\"filterByLinkText\":false,\"skipSort\":false,\"reverseSort\":false,\"sortByLastLinkSegment\":false,\"versionExtractWholePage\":false,\"requestHeader\":[{\"requestHeader\":\"User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Mobile Safari/537.36\"}],\"defaultPseudoVersioningMethod\":\"partialAPKHash\",\"trackOnly\":false,\"versionExtractionRegEx\":\"\\\\d+.\\\\d+.\\\\d+\",\"matchGroupToUse\":\"\",\"versionDetection\":true,\"useVersionCodeAsOSVersion\":false,\"apkFilterRegEx\":\"\",\"invertAPKFilter\":false,\"autoApkFilterByArch\":true,\"appName\":\"\",\"shizukuPretendToBeGooglePlay\":false,\"allowInsecure\":false,\"exemptFromBackgroundUpdates\":false,\"skipUpdateNotifications\":false,\"about\":\"Signal is an open-source end to end encrypted messaging app.\"}","overrideSource":null}

It’s weird that this isn’t mentioned on the signal website or blog? They also distribute the binary with a signature you can check there if you want a non-play store source that’s actually verifiable.
- It's probably not an official thing. F-Droid can't distribute apps in the official repo via their own policy if the developer doesn't agree. Third-party repos like Guardian can.
  
  If it’s not official, how do you verify who is building the binary?
  
  Can confirm, the repository was Guardian Project

Perhaps a result of the proposed ban on distributing tiktok via google and apple is that some developers rethink their distribution mechanisms

Molly-FOSS is awesome and it now has UnifiedPush support built-in!
Get it with Obtainium
- Or via Accrescent
- Woah that's awesome to hear about the FOSS variant. I'll switch over to that version now
  
  Just make sure to set up UnifiedPush if you want to receive notifications while your Molly database is locked. I recommend the new Sunup UP distributor. I wanted to make a post about it in !unifiedpush@lemmy.dbzer0.com, but never got around to do it.
  For Mollysocket, there are a few public instances. molly.adminforge.de is one of them. You can also set up your own on Fly.io, check out this repo: https://github.com/pcrockett/mollysocket-fly
  Or you can obviously self-host it on any VPS or hardware that you own

Is there anything specifically wrong with molly. It seems more locked down by default and is fully open source. Seems better to me.
- No, nothing wrong with it. I use it actually. People are used to Molly being on F-Droid so I didn't want anyone to think that I was referencing that instead of actual Signal.
- Iirc Molly in F-droid still using FCM and the google maps API. If you want Molly-Foss, you have to use Obtanium to pull APKs from their git releases.
  Edit: I was wrong, you can get it off their F-Droid repository.
  
  No. You can use their f-droid repo to get molly-foss
  
  You can also get it from Accrescent
- They do not ship updates as fast as official Signal client does. Do not use it unless you specifically need one of its security features

Please rename the thread to "Signal in the Guardian project F-Droid repo" or something like that to avoid confusion, because as you have noticed, it's not available in the main F-Droid repo, just in the third-party repo maintained by the Guardian project
- Done

Thanks. You can get it by Obtainium too.

I have a tangential question. Would it not make sense for an OS, in this case Android, to have some proper mechanism for installing apps (in this case APKs) directly from a website (as lots of people have been doing fastidiously from signal.org by necessity)?
After all, this is all about trust. With software, assuming that you trust the developer, the goal is to be sure that nobody interfered with the developer's compiled software - and who better to guarantee that than the developer themself, at their own domain? DNS resolution is already based on the "web of trust" principle, which is why you can trust your bank's website. Arguably F-Droid performs a valuable role as a curator and selector of good software, but is there any good technical need for it to actually distribute the software?
- Not exactly answering your question but you can use the app Obtainium to fetch the apk URL from a website/github repo and many other sources to install directly. It also supports fdroid repos and many other sources out of the box. Kinda half way what you mentioned in your first paragraph.
  
  Yes true! Forgot about Obtainium. ~~Personally I'm not much tempted because all it does is swap out F-Droid for Github (i.e. Microsoft) as the middleman.~~ But I agree that it's definitely a win for convenience.
  PS: Turns out Obtainium is source-agnostic. Good news.
  
  Thank you for posting the link
- Not sure if this fits your definition of OS, proper, or install, but FWIW you can already download an apk directly from github using most Android browsers and it will open (or give you the option to open) it with the system's package installer.
  
  Yep and that's exactly what we doing with Signal to avoid the Play Store. It's a bit of a PITA and it's the same on desktop. It's because they don't want third parties maintaining their packages.
  My crazy utopian idea is for some kind of protocol (or equivalent) that would allow native package managers (mobile or desktop) to "plug in" to the website repos of authors, directly.

I was gonna say, I got Molly-FOSS from F-droid, but I actually had to go back and check. It checks out though. I did also get obtainium so I can keep a better eye on updates and actually check the changes on git before updating something as important as secure, encrypted coms. Also I figured I should really start checking the signature each update from now on.

Please forgive if this is a stupid question, but what is the difference between the play store version and this? Assuming it is not altered by a bad actor.
- As i recall, ALL apps in google play store, have to have some sort of google shit embedded into it. Therefore, its better to download something outside of google if you want to remain degoogled.
- I would hope the difference is that the f-droid version does not contain any proprietary code.
  
  No, it's not a special "FOSS" version, it's just the official binary distributed through the Guardian Project repo (as I have proven: https://lemmy.dbzer0.com/comment/16230276). If you want a FOSS variant, check out Signal-FOSS or Molly, they also offer a FOSS variant. You can either download it from their custom F-Droid repo, pull the APK from GitHub using Obtainium or get it from Accrescent.
- I think the main difference is that the Play Store version can use FCM (Google Play Services) for notifications, while the APK Signal distributes only receives notifications over a background WebSocket connection.
  
  That is interesting. Thanks to you and the others.
  Does the use of the google play services allow google to sort of…listen in or be privy to your app usage in any way?

46 comments