Christine Lemmer-WebberFeb 26

Can you run Signal with basically no iOS or Android devices right now and still do the (mandatory) prove-your-phone-id steps?

It feels like very near future I, and everyone else who cares about computing autotonomy, we're all gonna have to start runnin' the Linux phones, no matter how non-ideal that user experience is right now

Show threadSeirdyFeb 26
@cwebber I think it’s possible with signal-cli, but I haven’t tried it.
Show threadTalya (she/her) 🏳️‍⚧️✡️Feb 26

@Seirdy @cwebber signal-cli does indeed advertise supporting registration.
https://github.com/AsamK/signal-cli

also i do want to ask, don't most Mobile Linux projects support running android apps in one way or another? it should be possible then (if not easy, though maybe there's some reservations i'm not aware of) to run the mobile version of Signal on a Linux phone.

GitHub - AsamK/signal-cli: signal-cli provides an unofficial commandline, JSON-RPC and dbus interface for the Signal messenger.

signal-cli provides an unofficial commandline, JSON-RPC and dbus interface for the Signal messenger. - AsamK/signal-cli

GitHub
Show threadSeirdyFeb 26

@Yuvalne @cwebber They support it at the expense of security. No robust SELinux-enabled Android sandbox.

Then again, Signal Desktop has no sandbox either. Which is…concerning.

Show threadTalya (she/her) 🏳️‍⚧️✡️
@Seirdy @cwebber isn't it sandboxed? i know there's some encryption on desktop that makes copying the database to another install non-trivial, but maybe it's missing some other stuff you'd want, i really have no expertise in that subject.
Feb 26 at 8:24pmWeb
Show threadSeirdyFeb 26
@Yuvalne @cwebber the desktop app is an Electron app with the Chromium sandbox disabled via a command-line flag.
Show threadSeirdyFeb 26
@Yuvalne @cwebber my info may be outdated; check your running processes and look for chromium flags like disable-sandbox and no-zygote-sandbox
Show threadTalya (she/her) 🏳️‍⚧️✡️Feb 26
@Seirdy @cwebber well i'm running the flatpak so it's not really a good test. but i'll ask some fellows.
Show threadsoloFeb 26

@Yuvalne @Seirdy @cwebber afaik flatpak apps will still show their processes in ps, so you'd be able to grep for it? flatpak just sanboxes the apps so they can't see outside the allowed directories

but the issue with disabling sandboxing is not that it allows it to access other programs or that other programs can access it, but rather that if you compromise a worker thread or something it allows you access to all other threads, allowing you to escalate to something like a full app compromise (leaking user data)

Show threadTalya (she/her) 🏳️‍⚧️✡️Feb 26
@solonovamax @Seirdy @cwebber fair point. i'm not seeing this flag anymore, but there is a no-zygote-sandbox flags on one of the processes. digging through their github, this seems to have been the case since v7.38, so over a year ago.
https://github.com/signalapp/Signal-Desktop/issues/3573#issuecomment-2575864732
Forcing --no-sandbox is not a solution · Issue #3573 · signalapp/Signal-Desktop

I have searched open and closed issues for duplicates Bug Description Slapping --no-sandbox into the desktop file, and therefore disabling all sandboxing, is not a proper fix. Electron Version 5 im...

GitHub
Show threadTalya (she/her) 🏳️‍⚧️✡️Feb 26
@solonovamax @Seirdy @cwebber
the thing i was confusing with is full database encryption, which is there since 7.17 (about a year and a half ago).
Show threadsoloFeb 26
@Yuvalne @Seirdy @cwebber yeah, if you've managed to hijack the process the database encryption doesn't matter
Show threadkhmFeb 26
--no-sandbox --no-zygote

sad trombones

CC: @[email protected] @[email protected] @[email protected]
Show threadTalya (she/her) 🏳️‍⚧️✡️Feb 27
@khm @Seirdy @cwebber
that shouldn't be the case anymore, what version are you running?
https://433.world/@Yuvalne/116138906518307332
Talya (she/her) 🏳️‍⚧️✡️ (@[email protected])

@[email protected] @[email protected] @[email protected] fair point. i'm not seeing this flag anymore, but there is a no-zygote-sandbox flags on one of the processes. digging through their github, this seems to have been the case since v7.38, so over a year ago. https://github.com/signalapp/Signal-Desktop/issues/3573#issuecomment-2575864732

4'33"verse
Show threadTalya (she/her) 🏳️‍⚧️✡️Feb 27
@khm @Seirdy @cwebber
i'm seeing conflicting information, but at the very least the "no-sandbox" flag shouldn't be there, right?
Show threadLiliane FontenotFeb 26

@Yuvalne @Seirdy @cwebber

Fortunately (unfortunately?) this doesn't seem to be true, signal-export [1] is able to automatically extract the encryption key for me (on Linux) and read all my chats. I think Signal on desktop only obfuscates the database, it's not actually protected against the local user.

[1] https://github.com/carderne/signal-export

GitHub - carderne/signal-export: Export your Signal chats to markdown files with attachments

Export your Signal chats to markdown files with attachments - carderne/signal-export

GitHub