[morelisp]

Are Signal's Android builds no longer reproducible?

[ndiscussion]

It looks like they are, but there might be a minor issue in verifying the content: https://github.com/signalapp/Signal-Android/issues/10476

But despite best efforts by the community to verify builds, Google and Apple can be forced to upload a malicious app to a particular user, meaning they aren't using the same app at all.

[greysonp]

> But despite best efforts by the community to verify builds, Google and Apple can be forced to upload a malicious app to a particular user, meaning they aren't using the same app at all.

Hi there! Signal-Android developer here. App signing verification is done at the OS-level, and Google does not have our signing key, so they wouldn't be able to give an existing user a different APK and have it successfully install.

[ndiscussion]

Is that really true? Couldn't Google forcibly turn off the code-signing requirement on an individual's phone?

They've been known to reset passwords remotely in the past: https://www.theverge.com/2016/3/30/11330892/fbi-google-andro...

[codethief]

No, they could not. And if you don't want to trust $random_manufacturer's Android ROM, you could switch to GrapheneOS[0] whose developer Daniel Micay attaches a lot of importance to reliable app signatures (which is why GrapheneOS doesn't come with MicroG as the latter would need signature spoofing).

[0]: https://grapheneos.org/

[morelisp]

If your threat model includes the ability to force Apple to do X, then Signal is irrelevant.

[ndiscussion]

That's probably a good point, I'm using GrapheneOS which is not identifiable to Google/Apple and can't be singled out for updates.