[mfwoods]

No. The clients are open source, and (at least on Android) you are able to verify that the source on Github is the same that was used to compile the client on Google Play with reproducible builds [1].

And even if the servers turn out to be malicious, the clients are designed to expose as little metadata as possible with things like private contact discovery[2], sealed sender[3] and private groups[4]. It's not perfect, but the data a malicious server could collect is limited.

[1] https://github.com/signalapp/Signal-Android/tree/master/repr...

[2] https://signal.org/blog/private-contact-discovery/

[3] https://signal.org/blog/sealed-sender/

[4] https://signal.org/blog/signal-private-group-system/

[fsflover]

But you cannot verify the source code and binary of the server or set up your own independent one, so reproducible builds don't help here.

[mfwoods]

That's true, and in that sense it doesn't really matter if they publish the server source or not (although they really should continue to do so). What does matter is that the client was designed with a possible malicious server in mind so you don't have to trust the code the server is running.