Status of Signal on the Librem 5

I did not manage to change the remote of the already installed Signal desktop flatpak. Apparently that is not possible. So I will remove and re-install the Signal desktop flatpak from the new remote.

Novice question. Downloaded the .zip file from the git hub and extracted it. Now I have folder “signal-desktop-development” in download folder on librem 5. What do I do now, or was there a different way I should have done it from git hub.

Thanks!

@lib52 it may be easier to install signal-desktop via flatpak, see the link to signalflatpak in this comment: Status of Signal on the Librem 5 - #19 by elagost

In my opinion Signal is easy because it glues itself to your phone number and address book and while your communications are secure metadata and who you talk to is probably retained if at a minimum to help you connect with friends at the start.

TOX clients are hard to use by design because they require you to act securely and pair securely, they don’t give you an easy way to onramp questionable software and contacts. Qtox gui works on pureos/librem5 if you use the compositor, there are a few tweaks keeping us away from using Briar though a diminished linux desktop client which is missing the critical offline bluetooth swarm bridging message sneaker-netting.

Something happened with the US presidential war cabinet where they were oversharing war plans on Signal in the summer of 2025, some sources claim it was a bespoke non-standard build, though it was probably just letting everyone join a secret discussion ‘room’.

Qtox and Briar require secure pairing and joining, Qtox has video and audio though it is not fully working(no video&audio) on the librem/pureos a bit better on mobian/pinephone with audio and video at one point but secure chat works for both. Briar is mostly about chat messages and creating discussions more like fidonet and usenet in the 80s. Both are very secure both rely on TOX and TOR networks to route traffic.

Hey that worked! I’m such a novice it took me over an hour to figure how to use git hub properly (from trying to download the zip etc. finally read that you look in the “read me” section). Anyway got app installed. Doesn’t appear blurry like instructions warned. The only smart phone I own is the Librem 5 so idk yet how I’m going to figure out about the linking part but good to know the app installed. Thanks!

I use the Librem 5 as my daily phone and also with Signal Desktop.
Some tips:

• Zoom out a few times in Signal Desktop. Use Ctrl and - key. This gives a less cramped overview.
• Make the left pane as narrow as possible, so you only see the avatars. Tapping on the hamburger menu
  

  image500×500 2.18 KB
  also hides the tabs.

Do you have a way to get notifications about Signal messages without having the Signal Desktop app running all the time?

No, I leave Signal Desktop running all the time, but I also do use suspend when not connected to power. I wake the Librem 5 now and then to see if there are Signal messages. And I tell people to phone call or SMS me if I have to respond immediately.

I use a small scrpt to wakeup the phone and check for messages. And goto sleep if there a none.

How? What does your script look like?

I use the rtc to wake up every x minutes or so.

Wait until internet is working, and then check if there are new messeges on dbus.

If not go back to sleep, if there are new ones enable display and play sound.

Tox should really not be used. It’s library (toxcore) is showing a big warning disclaimer on Github that it has not been properly audited and multiple issues are open discussing security aspects of it. Also I already had tests on my local machine were the protocol itself messed up so hard that I could steal the identity of another client by accident. Which means it probably messes up multiple cryptographic operations by a lot, given that I didn’t even need to look for attack vectors intentionally.

Still I used Tox as inspiration for the GNUnet Messenger in terms of how easy it was to get started. You don’t need to register an account or anything. But it surely missed a way to quickly open a secure chat with someone. You don’t need a phone number for that though.

That is a massive ‘bug’ as we are supposed to have public/private GPG style crypto signatures proving our identity in tox. Until that point I had felt that toxcore was a great way to have a securely initiated phone/vid-call, chat, or file transfer and that at least the project was competently managed but possibly subject to group think missing problems that would be caught by an outside audit. But if even identity can be spoofed easily… accidentally! it means that quite possibly nothing except a few TOR links are working inside the ‘black box’. Please post your bug report so we can follow the progress on github.

This has been years ago and the project hasn’t really looked active back then (2019 or 2020). So I didn’t open an issue for it. But given they still have the warning banner linking to open issues, I wouldn’t assume it has been fixed. Maybe they did though. The one issue states their handshake would be vulnerable and this might be exactly what I experienced by accident. However they changed their handshake in 2024.

Either way they are still claiming to not have been audited properly. So there’s definitely no guarantee for it to be secure. I would definitely not compare it to Signal before they have done a full specification that can be audited.