I’m downloading Signal from the website, even tho they don’t seem to want you to, because I’d like to be able to completely rid myself of the Google Play Store (as used with Aurora which has its own problems from time to time), and I believe that this version auto-updates or at least tells you when there is one. Following the instructions here using the apksigner in the repository just gives me lots of error messages. I’m using Linux Mint 21.1 (and just because I’m using Linux doesn’t mean that I know what I’m doing). I think I read somewhere that the apksigner in the repos is (of course) broken and I may need a newer version but I don’t know where to get it. Any help with this would be greatly appreciated.

  • hedge@beehaw.orgOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    Following the link on the download page, I did

    apksigner verify Signal-Android-website-prod-universal-release-6.24.4.apk

    which returns lines and lines of errors that look similar to this:

    WARNING: META-INF/com/android/build/gradle/app-metadata.properties not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.

    I also tried, after asking for help from Signal support:

    keytool -list -printcert -jarfile Signal-Android-website-prod-universal-release-6.24.4.apk

    and got

    keytool error: java.lang.Exception: Only one command is allowed: both -list and -printcert were specified.

    I barely understand any of this; really I just want to make sure that the app is safe, properly verified, and not tampered with (which seems kind of unlikely in any event . . . ?)

    UPDATE: If I do

    apksigner verify --print-certs Signal-Android-website-prod-universal-release-6.24.4.apk

    I get

    Signer #1 certificate DN: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
    Signer #1 certificate SHA-256 digest: 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26
    Signer #1 certificate SHA-1 digest: 45989dc9ad8728c2aa9a82fa55503e34a8879374
    Signer #1 certificate MD5 digest: d90db364e32fa3a7bda4c290fb65e310
    

    followed by a whole lot more of those WARNING: META-INF thingies, but I believe #1 is correct?