I’m downloading Signal from the website, even tho they don’t seem to want you to, because I’d like to be able to completely rid myself of the Google Play Store (as used with Aurora which has its own problems from time to time), and I believe that this version auto-updates or at least tells you when there is one. Following the instructions here using the apksigner in the repository just gives me lots of error messages. I’m using Linux Mint 21.1 (and just because I’m using Linux doesn’t mean that I know what I’m doing). I think I read somewhere that the apksigner in the repos is (of course) broken and I may need a newer version but I don’t know where to get it. Any help with this would be greatly appreciated.
Following the link on the download page, I did
apksigner verify Signal-Android-website-prod-universal-release-6.24.4.apk
which returns lines and lines of errors that look similar to this:
WARNING: META-INF/com/android/build/gradle/app-metadata.properties not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
I also tried, after asking for help from Signal support:
keytool -list -printcert -jarfile Signal-Android-website-prod-universal-release-6.24.4.apk
and got
keytool error: java.lang.Exception: Only one command is allowed: both -list and -printcert were specified.
I barely understand any of this; really I just want to make sure that the app is safe, properly verified, and not tampered with (which seems kind of unlikely in any event . . . ?)
UPDATE: If I do
apksigner verify --print-certs Signal-Android-website-prod-universal-release-6.24.4.apk
I get
Signer #1 certificate DN: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US Signer #1 certificate SHA-256 digest: 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26 Signer #1 certificate SHA-1 digest: 45989dc9ad8728c2aa9a82fa55503e34a8879374 Signer #1 certificate MD5 digest: d90db364e32fa3a7bda4c290fb65e310
followed by a whole lot more of those
WARNING: META-INF
thingies, but I believe #1 is correct?