Anyone know if Signal publishes the SHA-1 (or some hash) of its desktop versions? I don't like installing critical apps like this without verifying their integrity.
I know I'm showing my age in a Man Shakes Fist at Cloud way, but it wasn't so long ago that software makers actually published this information on their downloads page.
@briankrebs The best part is the flatpak origin is unverified :D https://flathub.org/apps/org.signal.Signal
And I confirm I cannot find any hash or signature on their website.
@x_cli This is a really bad look, and it's gone on for YEARS now.
@Mer__edith Any insight?
That Flatpak package, linked above in this thread, is unofficial.
Our official download instructions for Linux tell people how to install our APT key, and every release is signed.
Brian Krebs original message is likely referring to macOS. Our releases are signed on macOS and Windows too.
💐
@Mer__edith @apicultor @x_cli @briankrebs maybe see if @popey or some one can get the flatpack pulled down then because looks official but is also terrible
@falken @Mer__edith @apicultor @x_cli @briankrebs
Nothing to do with me. There's a github link from the flathub repo if you wanna go wild. The snap is unofficial too, but that builds from source rather than repacking the deb. Not that it makes a whole heap of difference. Both have 100K+ users so I guess some people trust them.