How to install Briar?

I want to use a android app called Briar.
I need to make android qube first?

That project now offers a desktop version for debian as well.

Then I download the deb file in debain tamplate and use?

Install it in a template, shut down the template, create an appvm based on that template, use the app in the new appvm.

I don’t t̶r̶u̶s̶t̶ use this software myself but,I came across the snippet today, realized I forgot to post, wanted to dust it off and take it for a test drive …

Here’s some bash to install briar desktop within a bullseye (debian-11-minimal) template:

#!/bin/bash
apt update && apt upgrade -y && apt autoremove -y
apt install -y qubes-core-agent-networking curl libxtst6 pulseaudio-qubes notification-daemon
export https_proxy=127.0.0.1:8082
curl -sSLo /tmp/briar-desktop-debian-bullseye.deb https://desktop.briarproject.org/debs/bullseye/briar-desktop-debian-bullseye.deb
if [[ $(sha256sum /tmp/briar-desktop-debian-bullseye.deb) = "34804165b7d8f3a8da860e2ad9d00bffc139c8e99c4fa40086e40ac82642dfcc  /tmp/briar-desktop-debian-bullseye.deb" ]];then apt install -y /tmp/briar-desktop-debian-bullseye.deb; fi

Additionally, I’m of the opinion that there may a learning opportunity at hand for some users who watch “Channel ZERO” & want to “believe the hype” …

Unlike everyone’s favorite project, this project is not offering any pgp signing keys nor official repositories or detached signatures protected by them. Currently, the briar project is merely relying on publishing SHA256 hashes on the project’s web page with the following text:

If you know how to use SHA-256 checksums you can check that the file you’ve downloaded matches the checksum below:
briar-desktop-ubuntu-22.04-0.4.1-beta.deb: bf439d410cd26533dde2f9c2a94a95e341a47f97456c1a3bdc69b3e82b7b367c
briar-desktop-ubuntu-20.04-0.4.1-beta.deb: ec908349b2ef86a548f9f6d7c82c1033eb1122f978e0c08031a55ec6aa6dc75f
briar-desktop-ubuntu-18.04-0.4.1-beta.deb: 724ba3f84c85eb556d4554be943359a856e8426b0ef10de311485633db7f4a74
briar-desktop-debian-bullseye-0.4.1-beta.deb: 34804165b7d8f3a8da860e2ad9d00bffc139c8e99c4fa40086e40ac82642dfcc
briar-desktop-linux-0.4.1-beta.jar: fea0160e6da96d5a0963a9b0d937af468b4ea64e78652ceb28f4e668a4ff7bc3
Briar-Desktop-0.4.1-beta.msi: 8dd6dbbf6421ee18b1ab61208b560782898d0d862454735fa588d128e178c29e

Using bullseye as an example:

A) On the same page as these hashes, the link provided for Debian stable (bullseye) and compatible .deb points to a file of a different name (briar-desktop-debian-bullseye.deb) which, could cause some users confusion but, could be ok (metadata has no impact on a cryptographic hash) except …

B) If one were to download the available linked file and attempt to verify it’s hash against the one published (as the snippet above does before installing), the hash returned is: 38aadc720df54551b6d0a0fc732d1e14501e88904f778c8616c5678269f2c356.

This obviously does not match that of which is published and noted above.

C) Nor does the binary package briar-desktop-debian-bullseye-0.4.1-beta.deb look to be readily available as, attempting this manually manipulated link using the file name which has an associated SHA256 hash fails with a 404 response code.

• Where does this leave the user?
  – Can one trust the supplied binary?
  – Ought one install a binary who’s authenticity can not be validated?
  – Has an APT pwned the project’s site and replaced binaries with versions containing malware?
  – Can a privacy-oriented “secure messenger” project be taken seriously when PGP isn’t leveraged to support binary verification?

I don’t have hard answers to those simple questions as, it’s left up to prospective users to decide on their own.

How do I think this may have happened?

It looks to me as though whomever is managing these beta releases on the storage backend is not synced up with whomever it is that is managing the web frontend leading to the inaccurate & useless hashes given above because when this:

$ dpkg -I briar-desktop-debian-bullseye.deb

is run against the file available with the hash of 38aadc720df54551b6d0a0fc732d1e14501e88904f778c8616c5678269f2c356, the output returned reads:

 new Debian package, version 2.0.
 size 133991892 bytes: control archive=1112 bytes.
     299 bytes,    10 lines      control              
    1245 bytes,    37 lines   *  postinst             #!/bin/sh
     620 bytes,    31 lines   *  preinst              #!/bin/sh
     935 bytes,    39 lines   *  prerm                #!/bin/sh
 Package: briar-desktop
 Version: 0.4.2-beta-1
 Section: comm
 Maintainer: The Briar Project <contact@briarproject.org>
 Priority: optional
 Architecture: amd64
 Provides: briar-desktop
 Description: Secure messaging, anywhere
 Depends: libc6, libexpat1, libnotify4, xdg-utils, zlib1g
 Installed-Size: 240900

It is available as flatpak as well…Flathub—An app store and build service for Linux…
Might be a better option because you do not have to install it in your template…you could make a “user” install in a dedicated appvm…

It looks as though this project has sorted their CI/CD hiccup and posted the updated hashes.

#!/bin/bash
apt update && apt upgrade -y && apt autoremove -y
apt install -y qubes-core-agent-networking curl libxtst6 pulseaudio-qubes notification-daemon
export https_proxy=127.0.0.1:8082
curl -sSLo /tmp/briar-desktop-debian-bullseye.deb https://desktop.briarproject.org/debs/bullseye/briar-desktop-debian-bullseye.deb
if [[ $(sha256sum /tmp/briar-desktop-debian-bullseye.deb) = "38aadc720df54551b6d0a0fc732d1e14501e88904f778c8616c5678269f2c356  /tmp/briar-desktop-debian-bullseye.deb" ]];then apt install -y /tmp/briar-desktop-debian-bullseye.deb; fi

why don’t you trust? Just curious.