[tadzik_]

Sure it is: but how do you know if it really is the source code of Signal?

For all we know, both the Signal network and its client are a half-baked "secure" and "private" chat, and the source code they publish is an elaborate decoy (though probably a subset of the real underlying code, for obvious reasons).

[ta2223332221]

but how do you know if it really is the source code of Signal?

That's a valid question which used to bug me about open source projects. But apparently they finally figured out that the output of the source needs to be deterministic and match the binaries they ship. This property is called "reproducible builds". Signal claims to have them (modulo some third party libraries), though I haven't personally verified it: https://signal.org/blog/reproducible-android/

Honestly though, trust boils down to trusting people. I trust Signal because I trust Moxie, and I trust Moxie because of his reputation among the prominent security experts publicly active on the internet, at least the ones that I find convincing. As a security layman, that's the best I can do.

[cfrs]

Interesting whether apple's bitcode and app thinning breaks "reproducible builds". Also I'm not sure you still can get IPA file (app binary) from appstore/iphone.

[untog]

That's surely the case with absolutely every (iOS, at least) app? I'm not sure how anyone would ever get around it.