Actual apk from the phone produces same result:
https://virusscan.jotti.org/en-US/filescanjob/jkexw6tgcf
Super weird. Must be false alarm.
Depending on which F-Droid repo you’re using, that’ll be either:
- https://fdroid.heartshine.xyz/repo/Signal-Android-foss-5.5.5.0.apk
- https://fdroid.twinhelix.com/fdroid/repo/Signal-Android-play-foss-prod-universal-release-signed-5.5.5.apk
(They’re the same APK, I assume; my repo just pulls from the github releases)
Hi, not sure what MIUI is picking up there! Presumably a false positive. I know Signal has recently been blocked in China, but that’s more of a firewall thing.
The builds for this app have been built by Github’s automated Actions workflow from the corresponding source branch. The build log lists SHA256 sums for the signed APKs if you want to check they’re exactly the same. The only new dependency on top of regular Signal is OsmDroid. So not sure how any nasty code could sneak in.
yes, this app scanner from miui is questionable.
will get a screenshot of report tomorrow, do not have device with me know
No worries, not even sure what I would do with the screenshot 
.
In other news I’ve pushed out 5.6.3.0-FOSS, the last version before all Signal’s new cryptocurrency stuff hits the master branch… 
. Have added this repo to the Known Repositories thread too.
1 Like
Someone tell me why Moxie is still in charge of Signal again? So many ridiculous decisions (the fact that your fork exists is evidence of one of them), and now adding MobileCoin, whose value fluctuates more readily than BitCoin? I’m not a huge fan of cryptocurrency in general but even this is just too much.
Your fork is one of the best things to come out of Signal, and it’s helped me convince a good number of people to switch because the Google fingerprinting is no longer a concern. Fragmenting Signal (and killing its momentum) is the last thing I want but good god.
2 Likes
Technically Google still hosts storage.signal.org and contentproxy.signal.org (Amazon, MS and Cloudflare also host other service components) so they still get some metadata, but thanks and glad you like it! Yeah, it would be lovely if Signal’s priorities were in the right order…
jfyi: there is Signal v5.6.4 branch(v5.6.3 + Fix issue with GV1 deprecation and rotate feature flag).
Aha, that’ll learn me for posting that last version joke 
. Looks like a minor change with feature flagging so might wait for the 5.7 series (unless anyone notes an issue in usage?). I usually do a build when the subsequent beta releases.
Wait, what does this mean? They implemented more closed source stuff?
I believe the new crypto code is open source; it just adds 3mb to the universal APK size and has been a bit contentious with users as to whether it’s a good idea or needed at all.
I’ve released 5.7.6.0-FOSS (MobileCoin is present but disabled upstream); turns out I really had to boost Gradle memory to make it all compile 
. I’ve also now specified a particular Java version in the android.yml workflow file, but can’t quite get the Github builds to match my local builds with the reproducible-builds/apkdiff/apkdiff.py file – any tips welcome.
Also, some Reddit users noted virus warnings with standard Signal from the Play Store on a Huawei P30, for what it’s worth.
Have you seen this pull-request to Signal? Specially how they use the diffoscope tool to compare the APKs.
Cheers @valldrac , might give that a go next time; the Debian folks have done great work on that tool, but it would be nice if Signal’s own tooling worked on its own app too
Also, I was pondering posting a bug/pull request to Signal increasing the websocket timeout from 1 min to 10 mins if the user is on WiFi (mobile networks are awful at dropping connections apparently). Would need a corresponding server update too as that has the same idle timeout. Any ideas why that wouldn’t work?
Right. It should match the timeout in the backends too. Otherwise this bug will reappear. If you follow the linked issues in that bug, you will see it could be that it isn’t fixed yet completely. Are you sure you want to touch that code? It’s doomed.
2 Likes
Have pushed 5.10.8.0-FOSS – sadly they’ve included a new GMS utility function import I’ve patched out and sent them a pull request
1 Like
It seems not possible to create a new signal account with your fork, because I end up in a blank “Aprove your a human” App-page.
@Mannshoch This has come up before in the thread – that’s one part of Signal I can’t touch as the server will sometimes send you a Captcha when signing up. Same advice as I answered that post with I guess, although strange yours is blank (check you don’t have a blocking hosts file / VPN / etc?).
I found the reCAPTCHA Icon. It was in the Bottom right corner. I could only see the Top left corner of the Button. After clicking, it worked. May the Problem was, because I blocked several Google domains on my router and without the Google fonts the reCAPTCHA button sometime look a bit strange.
hello @tw-hx. Do you mean with this that is not possible to get a Signal app totally without sending info to Google?