Signal Flatpak Manifest Review

16 May, 2024

I do a decent amount of hanging around the discuss.privacyguides.net forum, and one of the questions that comes up repeatedly is the trustworthiness of the Signal flatpak. It's even come up in a Github issue in the Signal repo.

This post is a review of what the Flatpak is actually doing. The manifest (or the instructions + helpers for building the Flatpak) is open source, so it's easy to check. The manifest's actually so simple I wrote this post in just a few minutes.

Finding the Manifest

Go to the Flathub page. In this case it is:
Scroll to the bottom where the 'Information' box is. Click 'Links'.
Look for the file ending in .yaml -- that's the manifest. Here's the link for the file in its repository.

Let's go over the manifest to (hopefully) help dispel doubt. Comments I have added are in green; I left the original comments in the file since they bring a lot of clarity.

Manifest Review

id: org.signal.Signal
base: org.electronjs.Electron2.BaseApp
base-version: '23.08'
runtime: org.freedesktop.Platform
runtime-version: '23.08'
sdk: org.freedesktop.Sdk
command: signal-desktop
separate-locales: false

+# Just boring metadata above.

+# Below, we can see that the reasons for each item are already explained by a comment. I added some more content to the items that might seem less obvious.
finish-args:
  # X11 performance
+ # Makes X11 faster. src: https://discourse.flathub.org/t/what-does-finish-args-x11-without-ipc-mean-and-how-do-you-fix-it/3279/2
  - --share=ipc 
  # We need X11
  - --socket=x11
  # Access to wayland
  - --socket=wayland
  # Audio Access
  - --socket=pulseaudio
  # All devices (camera, microphone for calls)
  - --device=all
  # Network Access
  - --share=network
  # We need to be able to inhibit sleep
  - --system-talk-name=org.freedesktop.login1
  - --talk-name=org.gnome.SessionManager
  - --talk-name=org.freedesktop.PowerManagement
  - --talk-name=org.freedesktop.ScreenSaver
  # These are for notifications/tray icons
  - --talk-name=org.gnome.Mutter.IdleMonitor
  - --talk-name=org.kde.StatusNotifierWatcher
  - --talk-name=com.canonical.AppMenu.Registrar
  - --talk-name=com.canonical.indicator.application
+ # This is indeed related to notifications. src: https://ayatanaindicators.github.io/code/
  - --talk-name=org.ayatana.indicator.application  
  # Environment Variables to control the behavior
  - --env=SIGNAL_USE_TRAY_ICON=0
  - --env=SIGNAL_START_IN_TRAY=0
  - --env=SIGNAL_USE_WAYLAND=0
  - --env=SIGNAL_DISABLE_GPU=0
  - --env=SIGNAL_DISABLE_GPU_SANDBOX=0
  # Use same mouse cursors as host
  - --env=XCURSOR_PATH=/run/host/user-share/icons:/run/host/share/icons

modules:
  - name: signal-desktop
    buildsystem: simple
    build-commands:
      - |
+ # Unpack tarball (compressed file format, like a .zip)
        bsdtar -Oxf signal-desktop.deb 'data.tar.xz' | 
          bsdtar -xf - \
            --exclude='./usr/share/doc'
      - |
+ # Check if directory indicates Signal Beta or not, move data accordingly
        if [ -d "opt/Signal" ]; then
          mv "opt/Signal" "${FLATPAK_DEST}/Signal"
          BETA_SUFFIX=""
        elif [ -d "opt/Signal Beta" ]; then
          mv "opt/Signal Beta" "${FLATPAK_DEST}/Signal"
          ln -s "${FLATPAK_DEST}/Signal/signal-desktop-beta" "${FLATPAK_DEST}/Signal/signal-desktop"
          BETA_SUFFIX="-beta"
        else
          exit 1
        fi

        install -Dm0644 "usr/share/applications/signal-desktop${BETA_SUFFIX}.desktop" "${FLATPAK_DEST}/share/applications/${FLATPAK_ID}.desktop"

        for size in 16 24 32 48 64 128 256 512; do
          install -Dm0644 "usr/share/icons/hicolor/${size}x${size}/apps/signal-desktop${BETA_SUFFIX}.png" "${FLATPAK_DEST}/share/icons/hicolor/${size}x${size}/apps/${FLATPAK_ID}.png"
        done
+ # Run shell script, which does nothing nefarious. Review below.
      - install -Dm0755 signal-desktop.sh "${FLATPAK_DEST}/bin/signal-desktop"
      - install -Dm0644 "${FLATPAK_ID}.metainfo.xml" "${FLATPAK_DEST}/share/metainfo/${FLATPAK_ID}.metainfo.xml"
      - desktop-file-edit --set-key=Exec --set-value='signal-desktop %U' "${FLATPAK_DEST}/share/applications/${FLATPAK_ID}.desktop"
      - desktop-file-edit --set-key=Icon --set-value="${FLATPAK_ID}" "${FLATPAK_DEST}/share/applications/${FLATPAK_ID}.desktop"
    sources:
      - type: file
        dest-filename: signal-desktop.deb
+ # Reference the .deb straight from Signal. No fuckery in the URL.
        url: https://updates.signal.org/desktop/apt/pool/s/signal-desktop/signal-desktop_7.9.0_amd64.deb 
+ # One can confirm that this matches the file straight from Signal. Obviously this changes each time there is an update, though. This hash proves (if it matches) that the code matches what Signal is distributing themselves.
        sha256: 22fd961b592f077b44885bb83b2d29a342a5a560b07da94334e5ecb4efc2f9ed
        x-checker-data:
          type: debian-repo
          package-name: signal-desktop
          root: https://updates.signal.org/desktop/apt
+ # `Dist: xenial` as in Xenial Ubuntu, probably for the automated build containers.
          dist: xenial
          component: main
        only-arches:
          - x86_64
      - type: file
        path: signal-desktop.sh
      - type: file
        path: org.signal.Signal.metainfo.xml

Confirming the Hash

If you'd like to confirm the hash yourself, you can download the .deb from Signal, then run:

$ sha256sum signal-desktop_7.9.0_amd64.deb
22fd961b592f077b44885bb83b2d29a342a5a560b07da94334e5ecb4efc2f9ed  signal-desktop_7.9.0_amd64.deb

Mine matches the hash in the manifest file.

Reviewing the Shell Script

It's a small script that essentially adds flags to the Signal flatpak depending on the Signal-related environment variables that are set. Link to the code is here:

Well, that's it! If you were worried about the Signal flatpak, at this time you have no reason to be, in my opinion. Feel free to get in touch if I have made a grave mistake or missed something.

#linux #security