I’m downloading Signal from the website, even tho they don’t seem to want you to, because I’d like to be able to completely rid myself of the Google Play Store (as used with Aurora which has its own problems from time to time), and I believe that this version auto-updates or at least tells you when there is one. Following the instructions here using the apksigner in the repository just gives me lots of error messages. I’m using Linux Mint 21.1 (and just because I’m using Linux doesn’t mean that I know what I’m doing). I think I read somewhere that the apksigner in the repos is (of course) broken and I may need a newer version but I don’t know where to get it. Any help with this would be greatly appreciated.
Following the link on the download page, I did
apksigner verify Signal-Android-website-prod-universal-release-6.24.4.apkwhich returns lines and lines of errors that look similar to this:
WARNING: META-INF/com/android/build/gradle/app-metadata.properties not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.I also tried, after asking for help from Signal support:
keytool -list -printcert -jarfile Signal-Android-website-prod-universal-release-6.24.4.apkand got
keytool error: java.lang.Exception: Only one command is allowed: both -list and -printcert were specified.I barely understand any of this; really I just want to make sure that the app is safe, properly verified, and not tampered with (which seems kind of unlikely in any event . . . ?)
UPDATE: If I do
apksigner verify --print-certs Signal-Android-website-prod-universal-release-6.24.4.apkI get
followed by a whole lot more of those
WARNING: META-INFthingies, but I believe #1 is correct?The META-INF warnings are for any file in the META-INF directory since those files are not part of the signature.
I think you already found it, awesome!
Though @hschen@sopuli.xyz got to the solution before you did, I nonetheless appreciate your intent to help! Thanks! 🙂👍