Brain Overflow

Signal Flatpak Manifest Review

I do a decent amount of hanging around the forum, and one of the questions that comes up repeatedly is the trustworthiness of the Signal flatpak. It's even come up in a Github issue in the Signal repo.

This post is a review of what the Flatpak is actually doing. The manifest (or the instructions + helpers for building the Flatpak) is open source, so it's easy to check. The manifest's actually so simple I wrote this post in just a few minutes.

Finding the Manifest

Let's go over the manifest to (hopefully) help dispel doubt. Comments I have added are in green; I left the original comments in the file since they bring a lot of clarity.

Manifest Review

id: org.signal.Signal
base: org.electronjs.Electron2.BaseApp
base-version: '23.08'
runtime: org.freedesktop.Platform
runtime-version: '23.08'
sdk: org.freedesktop.Sdk
command: signal-desktop
separate-locales: false

+# Just boring metadata above.

+# Below, we can see that the reasons for each item are already explained by a comment. I added some more content to the items that might seem less obvious.
  # X11 performance
+ # Makes X11 faster. src:
  - --share=ipc 
  # We need X11
  - --socket=x11
  # Access to wayland
  - --socket=wayland
  # Audio Access
  - --socket=pulseaudio
  # All devices (camera, microphone for calls)
  - --device=all
  # Network Access
  - --share=network
  # We need to be able to inhibit sleep
  - --system-talk-name=org.freedesktop.login1
  - --talk-name=org.gnome.SessionManager
  - --talk-name=org.freedesktop.PowerManagement
  - --talk-name=org.freedesktop.ScreenSaver
  # These are for notifications/tray icons
  - --talk-name=org.gnome.Mutter.IdleMonitor
  - --talk-name=org.kde.StatusNotifierWatcher
  - --talk-name=com.canonical.AppMenu.Registrar
  - --talk-name=com.canonical.indicator.application
+ # This is indeed related to notifications. src:
  - --talk-name=org.ayatana.indicator.application  
  # Environment Variables to control the behavior
  # Use same mouse cursors as host
  - --env=XCURSOR_PATH=/run/host/user-share/icons:/run/host/share/icons

  - name: signal-desktop
    buildsystem: simple
      - |
+ # Unpack tarball (compressed file format, like a .zip)
        bsdtar -Oxf signal-desktop.deb 'data.tar.xz' | 
          bsdtar -xf - \
      - |
+ # Check if directory indicates Signal Beta or not, move data accordingly
        if [ -d "opt/Signal" ]; then
          mv "opt/Signal" "${FLATPAK_DEST}/Signal"
        elif [ -d "opt/Signal Beta" ]; then
          mv "opt/Signal Beta" "${FLATPAK_DEST}/Signal"
          ln -s "${FLATPAK_DEST}/Signal/signal-desktop-beta" "${FLATPAK_DEST}/Signal/signal-desktop"
          exit 1

        install -Dm0644 "usr/share/applications/signal-desktop${BETA_SUFFIX}.desktop" "${FLATPAK_DEST}/share/applications/${FLATPAK_ID}.desktop"

        for size in 16 24 32 48 64 128 256 512; do
          install -Dm0644 "usr/share/icons/hicolor/${size}x${size}/apps/signal-desktop${BETA_SUFFIX}.png" "${FLATPAK_DEST}/share/icons/hicolor/${size}x${size}/apps/${FLATPAK_ID}.png"
+ # Run shell script, which does nothing nefarious. Review below.
      - install -Dm0755 "${FLATPAK_DEST}/bin/signal-desktop"
      - install -Dm0644 "${FLATPAK_ID}.metainfo.xml" "${FLATPAK_DEST}/share/metainfo/${FLATPAK_ID}.metainfo.xml"
      - desktop-file-edit --set-key=Exec --set-value='signal-desktop %U' "${FLATPAK_DEST}/share/applications/${FLATPAK_ID}.desktop"
      - desktop-file-edit --set-key=Icon --set-value="${FLATPAK_ID}" "${FLATPAK_DEST}/share/applications/${FLATPAK_ID}.desktop"
      - type: file
        dest-filename: signal-desktop.deb
+ # Reference the .deb straight from Signal. No fuckery in the URL.
+ # One can confirm that this matches the file straight from Signal. Obviously this changes each time there is an update, though. This hash proves (if it matches) that the code matches what Signal is distributing themselves.
        sha256: 22fd961b592f077b44885bb83b2d29a342a5a560b07da94334e5ecb4efc2f9ed
          type: debian-repo
          package-name: signal-desktop
+ # `Dist: xenial` as in Xenial Ubuntu, probably for the automated build containers.
          dist: xenial
          component: main
          - x86_64
      - type: file
      - type: file
        path: org.signal.Signal.metainfo.xml

Confirming the Hash

If you'd like to confirm the hash yourself, you can download the .deb from Signal, then run:

$ sha256sum signal-desktop_7.9.0_amd64.deb
22fd961b592f077b44885bb83b2d29a342a5a560b07da94334e5ecb4efc2f9ed  signal-desktop_7.9.0_amd64.deb

Mine matches the hash in the manifest file.

Reviewing the Shell Script

It's a small script that essentially adds flags to the Signal flatpak depending on the Signal-related environment variables that are set. Link to the code is here:

Well, that's it! If you were worried about the Signal flatpak, at this time you have no reason to be, in my opinion. Feel free to get in touch if I have made a grave mistake or missed something.

#linux #security