Signal Flatpak Manifest Review
I do a decent amount of hanging around the discuss.privacyguides.net forum, and one of the questions that comes up repeatedly is the trustworthiness of the Signal flatpak. It's even come up in a Github issue in the Signal repo.
This post is a review of what the Flatpak is actually doing. The manifest (or the instructions + helpers for building the Flatpak) is open source, so it's easy to check. The manifest's actually so simple I wrote this post in just a few minutes.
Finding the Manifest
- Go to the Flathub page. In this case it is:
- Scroll to the bottom where the 'Information' box is. Click 'Links'.
- Look for the file ending in
.yaml
-- that's the manifest. Here's the link for the file in its repository.
Let's go over the manifest to (hopefully) help dispel doubt. Comments I have added are in green; I left the original comments in the file since they bring a lot of clarity.
Manifest Review
id: org.signal.Signal
base: org.electronjs.Electron2.BaseApp
base-version: '23.08'
runtime: org.freedesktop.Platform
runtime-version: '23.08'
sdk: org.freedesktop.Sdk
command: signal-desktop
separate-locales: false
+# Just boring metadata above.
+# Below, we can see that the reasons for each item are already explained by a comment. I added some more content to the items that might seem less obvious.
finish-args:
# X11 performance
+ # Makes X11 faster. src: https://discourse.flathub.org/t/what-does-finish-args-x11-without-ipc-mean-and-how-do-you-fix-it/3279/2
- --share=ipc
# We need X11
- --socket=x11
# Access to wayland
- --socket=wayland
# Audio Access
- --socket=pulseaudio
# All devices (camera, microphone for calls)
- --device=all
# Network Access
- --share=network
# We need to be able to inhibit sleep
- --system-talk-name=org.freedesktop.login1
- --talk-name=org.gnome.SessionManager
- --talk-name=org.freedesktop.PowerManagement
- --talk-name=org.freedesktop.ScreenSaver
# These are for notifications/tray icons
- --talk-name=org.gnome.Mutter.IdleMonitor
- --talk-name=org.kde.StatusNotifierWatcher
- --talk-name=com.canonical.AppMenu.Registrar
- --talk-name=com.canonical.indicator.application
+ # This is indeed related to notifications. src: https://ayatanaindicators.github.io/code/
- --talk-name=org.ayatana.indicator.application
# Environment Variables to control the behavior
- --env=SIGNAL_USE_TRAY_ICON=0
- --env=SIGNAL_START_IN_TRAY=0
- --env=SIGNAL_USE_WAYLAND=0
- --env=SIGNAL_DISABLE_GPU=0
- --env=SIGNAL_DISABLE_GPU_SANDBOX=0
# Use same mouse cursors as host
- --env=XCURSOR_PATH=/run/host/user-share/icons:/run/host/share/icons
modules:
- name: signal-desktop
buildsystem: simple
build-commands:
- |
+ # Unpack tarball (compressed file format, like a .zip)
bsdtar -Oxf signal-desktop.deb 'data.tar.xz' |
bsdtar -xf - \
--exclude='./usr/share/doc'
- |
+ # Check if directory indicates Signal Beta or not, move data accordingly
if [ -d "opt/Signal" ]; then
mv "opt/Signal" "${FLATPAK_DEST}/Signal"
BETA_SUFFIX=""
elif [ -d "opt/Signal Beta" ]; then
mv "opt/Signal Beta" "${FLATPAK_DEST}/Signal"
ln -s "${FLATPAK_DEST}/Signal/signal-desktop-beta" "${FLATPAK_DEST}/Signal/signal-desktop"
BETA_SUFFIX="-beta"
else
exit 1
fi
install -Dm0644 "usr/share/applications/signal-desktop${BETA_SUFFIX}.desktop" "${FLATPAK_DEST}/share/applications/${FLATPAK_ID}.desktop"
for size in 16 24 32 48 64 128 256 512; do
install -Dm0644 "usr/share/icons/hicolor/${size}x${size}/apps/signal-desktop${BETA_SUFFIX}.png" "${FLATPAK_DEST}/share/icons/hicolor/${size}x${size}/apps/${FLATPAK_ID}.png"
done
+ # Run shell script, which does nothing nefarious. Review below.
- install -Dm0755 signal-desktop.sh "${FLATPAK_DEST}/bin/signal-desktop"
- install -Dm0644 "${FLATPAK_ID}.metainfo.xml" "${FLATPAK_DEST}/share/metainfo/${FLATPAK_ID}.metainfo.xml"
- desktop-file-edit --set-key=Exec --set-value='signal-desktop %U' "${FLATPAK_DEST}/share/applications/${FLATPAK_ID}.desktop"
- desktop-file-edit --set-key=Icon --set-value="${FLATPAK_ID}" "${FLATPAK_DEST}/share/applications/${FLATPAK_ID}.desktop"
sources:
- type: file
dest-filename: signal-desktop.deb
+ # Reference the .deb straight from Signal. No fuckery in the URL.
url: https://updates.signal.org/desktop/apt/pool/s/signal-desktop/signal-desktop_7.9.0_amd64.deb
+ # One can confirm that this matches the file straight from Signal. Obviously this changes each time there is an update, though. This hash proves (if it matches) that the code matches what Signal is distributing themselves.
sha256: 22fd961b592f077b44885bb83b2d29a342a5a560b07da94334e5ecb4efc2f9ed
x-checker-data:
type: debian-repo
package-name: signal-desktop
root: https://updates.signal.org/desktop/apt
+ # `Dist: xenial` as in Xenial Ubuntu, probably for the automated build containers.
dist: xenial
component: main
only-arches:
- x86_64
- type: file
path: signal-desktop.sh
- type: file
path: org.signal.Signal.metainfo.xml
Confirming the Hash
If you'd like to confirm the hash yourself, you can download the .deb from Signal, then run:
$ sha256sum signal-desktop_7.9.0_amd64.deb
22fd961b592f077b44885bb83b2d29a342a5a560b07da94334e5ecb4efc2f9ed signal-desktop_7.9.0_amd64.deb
Mine matches the hash in the manifest file.
Reviewing the Shell Script
It's a small script that essentially adds flags to the Signal flatpak depending on the Signal-related environment variables that are set. Link to the code is here:
Well, that's it! If you were worried about the Signal flatpak, at this time you have no reason to be, in my opinion. Feel free to get in touch if I have made a grave mistake or missed something.