Signal Messenger

Community Guides
,
1

What is Signal?

According to Wikipedia:

Signal is an encrypted instant messaging and voice calling application for Android and iOS. It uses end-to-end encryption to secure all communications to other Signal users. Signal can be used to send and receive encrypted instant messages, group messages, attachments and media messages. Users can independently verify the identity of their messaging correspondents by comparing key fingerprints out-of-band.

Signal is developed by Signal Technology Foundation and Signal Messenger LLC. The mobile clients for are published as free and open-source software under the GPLv3 license, while the desktop client and server are published under the AGPL-3.0-only license.

How to install Signal Desktop in Qubes

CAUTION: Before proceeding, please carefully read On Digital Signatures and Key Verification. This website cannot guarantee that any PGP key you download from the Internet is authentic. Always obtain a trusted key fingerprint via other channels, and always check any key you download against your trusted copy of the fingerprint.

The following adapts the official Linux (Debian-based) Install Instructions from Signalā€™s website for Qubes.

  1. (Optional) Create a TemplateVM (debian-11 is used as an example, but can be debian-11-minimal, debian-10, etc.):

    [user@dom0 ~]$ sudo qubesctl --skip-dom0 --targets=debian-11 --show-output state.sls update.qubes-vm

  2. Open a terminal in Debian 11 (or your previously chosen template; note that gnome-terminal isnā€™t installed by default in a minimal template, in that case replace gnome-terminal with uxterm):

    [user@dom0 ~]$ qvm-run -a debian-11 gnome-terminal

  3. Run the commands below in the terminal youā€™ve just opened.

    Install the curl program needed to download the Signal signing key:

    sudo apt install curl

    We need a notification daemon, otherwise Signal will hang the first time you receive a message when the window doesnā€™t have the focus (alternatively you could install xfce4-notifyd instead of dunst):

    sudo apt install dunst

    Download the Signal signing key (we need to pass the --proxy argument to curl as TemplateVMs can only access internet through a proxy at localhost/127.0.0.1 port 8082):

    curl --proxy 127.0.0.1:8082 -s https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor | sudo tee -a /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null

    Add the Signal repository (Signal donā€™t offer a buster/bullseye repository - they use xenial, but this doesnā€™t affect Debian users):

    echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main' | sudo tee -a /etc/apt/sources.list.d/signal-desktop.list

    Then fetch all repositories (now including the newly added Signal repository), bring the TemplateVM up-to-date, and finally install Signal:

    sudo apt update && sudo apt full-upgrade && sudo apt install --no-install-recommends signal-desktop

  4. A bit more work is required in case you used a minimal template for the TemplateVM above:

    signal-desktop requires at least libatk1.0-0, libatk-bridge2.0-0, libcups2 and libgtk-3-0 to run. Those dependencies are automatically installed when installing xfce4-notifyd, but if you installed dunst youā€™ll have to add them:

    sudo apt install libatk1.0-0 libatk-bridge2.0-0 libcups2 libgtk-3-0

    If you havenā€™t done so already, qubes-core-agent-networking must be installed for networking to work in qubes based on minimal templates:

    sudo apt install qubes-core-agent-networking

    Then optionally install the following packages for convenience of handling files (zenity is needed by the Qubes OS functions in qubes-core-agent-nautilus to show the progress dialog when moving/copying files):

    sudo apt install nautilus qubes-core-agent-nautilus zenity

  5. Shutdown the TemplateVM (substitute your template name if needed):

    [user@dom0 ~]$ qvm-shutdown debian-11

  6. Create an AppVM based on this TemplateVM.

  7. With your mouse, select the Q menu ā†’ Domain: "AppVM Name" ā†’ "AppVM Name": Qube Settings ā†’ Applications (or in Qubes Manager "AppVM Name" ā†’ Settings ā†’ Applications). Select Signal from the left Available column, move it to the right Selected column by clicking the > button and then OK to apply the changes and close the window.

This document was migrated from the qubes-community project
  • Page archive
  • First commit: 08 Dec 2020. Last commit: 30 Oct 2022.
  • Applicable Qubes OS releases based on commit dates and supported releases: 4.0, 4.1
  • Original author(s) (GitHub usernames): taivlam, Minimalist73, awokd, taradiddles, b068931cc450442b63f5b3d276ea4297
  • Original author(s) (forum usernames): @taradiddles, @taivlam
  • Document license: GPLv2
3 Likes
2

hi, idk what i did wrong here but whenever i do sudo update [anything] i get E: malformed entry 1 in the list file /etc/apt/sources.list.d/signal-desktop.list ([option] not assignment)

and

E: The list of sources could not be read.

Im running debian-11 [not minimal]

thanks.

3

Whatā€™s the content of this file?

cat /etc/apt/sources.list.d/signal-desktop.list
4

thank you for the quick responseā€¦ i just rage quit and reinstalled debian. Went with debian-12 minimal and everything works fine :slight_smile:

5

Is there a reason to do it this way rather than just installing snapd and letting Snap handle the Signal install? Thatā€™s two lines:

apt install snapd
snap install signal-desktop

Thereā€™s a bigger picture here - things like Discord, Element, Slack, and Telegram are also one line installs for Snap. I have reason to despise all four of the platforms I just mentioned, but unless youā€™re in the driverā€™s seat you have to go where the action is.

6

Because thatā€™s what the official Signal documentation recommends?

1 Like
7

There are a lot of things you could do by horsing around with apt and bash that end in puzzles with missing signing keys and errors associated with apt update. Being familiar with this sort of thing, I do tend to try to wade through it at first, but at the first sign of any trouble Iā€™ll snap search the package.

But for non-technical users, if there isnā€™t a security concern using snap, it would be so much better. apt install snapd, then many things are one liners that just work. It would be easy to write guides to install, backup, upgrade, rollback using snap. Such things would range from difficult to impossible if apt/dpkg are the tools employed.

This is kinda where I live - I stick my nose into places where observers are not welcome, I handle FOIA and leaks and such, but a big part of my practice is fostering others doing such things. Qubes 4.x is looking like something I could suggest to journalists/researchers, and having a deterministic way to install the various chat apps would be a BIG step towards making that happen.

3 Likes
8

gā€™day,
i had a few trouble with the curl --proxy 127.0.0.1:8082 -s <signal update site removed as i'm a new user and have a 2 link limit..>/keys.asc | gpg --dearmor | sudo tee -a /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null step in that it threw a ā€œgpg: no valid OpenPGP data foundā€ error.
then after manually downloading the key.asc and running the dearmor and proceding commands on it i encountered another issue in the sudo apt update && sudo apt full-upgrade && sudo apt install --no-install-recommends signal-desktop following "W: GPG error: <signal update site removed as iā€™m a new user and have a 2 link limitā€¦> xenial InRelease: The following signatures couldnā€™t be verified because the public key is not available: NO_PUBKEY D980A17457F6FB06
E: The repository ā€˜<signal update site removed as iā€™m a new user and have a 2 link limitā€¦> xenial InReleaseā€™ is not signed.
N: Updating from such a repository canā€™t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
"

The solution i found in From mtdrcā€™s comment and solution here which was i will copy with pride here

wget https://updates.signal.org/desktop/apt/keys.asc
sudo rm -f /usr/share/keyrings/signal-desktop-keyring.gpg
sudo gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/signal-desktop-keyring.gpg --import keys.asc
sudo chmod +r /usr/share/keyrings/signal-desktop-keyring.gpg

note ya will possible have to apt install wget for this to work as it is need to work or manually install download the key.asc using a web browser.

9

Iā€™ve the same question if there isnā€™t a security concern why not use: snap or flatpak with fire-jailed apps?

10

Maybe because snap sometimes breaks things? :wink:

https://www.militant.dk/2020/07/16/xubuntu-and-keepassxc-with-no-browserintegration-snap-crap/

Sincerely
Max

11

Is there a way to avoid using phone to register/use signal? It doesnā€™t look good from the anonymity/privacy perspectiveā€¦

12

no, you could pay a temporary phone number but then if it gets reallocated this may create issues (I donā€™t know existly, hence the wording may)

14

Hello,

Concerning the command :

curl --proxy 127.0.0.1:8082 -s https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor | sudo tee -a /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null

Could someone explain to me how I am supposed to know that I need to use the --proxy option and how to find the relevant IP and port?

--proxy 127.0.0.1:8082

thanks.

15

If you think that 127.0.0.1:8082 is a placeholder, itā€™s not, itā€™s the real IP+port

See: How to install software | Qubes OS

1 Like
16

Thanks for the answer and the link

17

One can also, of course, download the GPG key in a disposable Qube and send it to the TemplateVM via Qubeā€™s default mechanism.

For reference, the key had the following signature for me:

DBA3 6B51 81D0 C816 F630 E889 D980 A174 57F6 FB06

Seems to be identical to what is mentioned here. Unfortunately, there still seem to be no official instructions on verifying the keyā€™s fingerprint before using it. Kind of a bad look for a privacy focused app like Signal, IMHO.

18

Regarding Signal - itā€™s still a phone app, but theyā€™ve gotten MUCH better about the privacy angle since they implemented symbolic names. Previously the only way to connect to someone was by sharing phone numbers, and thatā€™s just not safe for a lot of us. I avoid cellular geolocation by using Google Voice numbers, and I can tolerate the little bit of exposure that comes using their PSTN numbers to get Signal going, since they donā€™t get much beyond the initial registration.

Iā€™ve used Authy for years as a two factor authentication method, but they cancelled their desktop support maybe a year ago, so Iā€™ve begun climbing the KeePassXC/KeePassium learning curve. Once thatā€™s done Iā€™m going to have a look at non-PSTN voice comms. My people are stuck on Signal and that wonā€™t change, but I want to build a smooth ā€œno phonesā€ config just for the sake of advancing the tradecraft in this area.

The end goal is turning the clock back to 2011, when we were using WiFi hotspots and iPod Touch - all the features of an iPhone but no nasty baseband processor tattling on us to NYPD during Occupy. 2011 hotspots to todayā€™s phone based service is like trading a 9600 modem for fiber to the home.

I donā€™t love it, but looking at the news itā€™s pretty clear weā€™re going to be needing stuff like this fairly soon, U.S. 2025 kinda looks like North Africa in 2011, all set to boil over.

1 Like