I’m downloading Signal from the website, even tho they don’t seem to want you to, because I’d like to be able to completely rid myself of the Google Play Store (as used with Aurora which has its own problems from time to time), and I believe that this version auto-updates or at least tells you when there is one. Following the instructions here using the apksigner in the repository just gives me lots of error messages. I’m using Linux Mint 21.1 (and just because I’m using Linux doesn’t mean that I know what I’m doing). I think I read somewhere that the apksigner in the repos is (of course) broken and I may need a newer version but I don’t know where to get it. Any help with this would be greatly appreciated.
What line did you use to verify the apk and what error do you get back? I’m on my phone, but if you still need help I can turn on my laptop and have a look
Following the link on the download page, I did
apksigner verify Signal-Android-website-prod-universal-release-6.24.4.apkwhich returns lines and lines of errors that look similar to this:
WARNING: META-INF/com/android/build/gradle/app-metadata.properties not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.I also tried, after asking for help from Signal support:
keytool -list -printcert -jarfile Signal-Android-website-prod-universal-release-6.24.4.apkand got
keytool error: java.lang.Exception: Only one command is allowed: both -list and -printcert were specified.I barely understand any of this; really I just want to make sure that the app is safe, properly verified, and not tampered with (which seems kind of unlikely in any event . . . ?)
UPDATE: If I do
apksigner verify --print-certs Signal-Android-website-prod-universal-release-6.24.4.apkI get
Signer #1 certificate DN: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US Signer #1 certificate SHA-256 digest: 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26 Signer #1 certificate SHA-1 digest: 45989dc9ad8728c2aa9a82fa55503e34a8879374 Signer #1 certificate MD5 digest: d90db364e32fa3a7bda4c290fb65e310followed by a whole lot more of those
WARNING: META-INFthingies, but I believe #1 is correct?The META-INF warnings are for any file in the META-INF directory since those files are not part of the signature.
I think you already found it, awesome!
Though @hschen@sopuli.xyz got to the solution before you did, I nonetheless appreciate your intent to help! Thanks! 🙂👍
I think i verified it via Termux on android, cant remember the exact commands but try that.
EDIT: Ok i remembered how i did it, open the signal apk with a zipping utility and extract the META-INF/CERTIFIC.RSA
then run this
keytool -printcert -file CERTIFIC.RSA
and match it to the websites signature
did it from archlinux this time and it worked as well
Success! You are officially the best person in the world. Thanks for taking the time to help 👍
- Lengsel ( @lengsel@latte.isnot.coffee ) English2•1 year ago
Give Molly a try here.