Install Signal for desktop using new Debian GPG standards*

* https://wiki.debian.org/DebianRepository/UseThirdParty

UPDATE: LinuxUprising’s admin Logix has written, on my suggestion, a more knowledgeable article on the general case of the deprecated apt-key: https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.html

Got a message, “Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).”? That’s because Debian is looking to not put third-party keys in its deeply trusted keyring, “trusted.gpg.d”. Do not use any workarounds, because then you are using deprecated security levels – and this gap is pretty big for today’s standards. So big, I, an enthusiast, could grasp the concept of why. AskUbuntu user Askeli gave a short but graspable answer here: https://askubuntu.com/a/1307181/1149075

Instead, use this procedure that I have doctored out, along the new GPG standards as mentioned by Askeli, and newly standardised by Debian themselves. The following procedure cleanly installs Signal on at least Ubuntu 20.10 kernel 5.11. Cleanly means, without having followed any of Signal’s now deprecated install instructions. Undo them to avoid possible messes and unneeded files everywhere all over the place.

Thus far, this method has failed on a virtual machine, probably due to wacky connection issues that are specific to that virtual machine since the “snap install signal-desktop” method worked, but then the signal app couldn’t connect to a network. [UPDATE: Probably due to Signal’s spike in new users, now in the millions in just a few days.]

First, at least remove Signal’s key from the trusted.gpg.d if you mistakingly added it there already. If you have, just remove it by searching through the list generated by

  sudo apt-key list

and then removing the signal one by copying its entire key

(looks something like: C93C F6EC 2474 EDA9 D21B B376 7022 8719 20D1 991B) into

  sudo apt-key del "XXXX XXXX XXXX XXXX LONG KEY HERE XXXX XXXX XXXX"

Once your install is undone and clean, fire up a terminal and copy these commands sequentially using the right mouse button (you cannot type ctrl+v in a terminal):

  cd /tmp

  wget https://updates.signal.org/desktop/apt/keys.asc

  gpg --no-default-keyring --keyring ./temp-keyring.gpg --import keys.asc

  gpg --no-default-keyring --keyring ./temp-keyring.gpg --export --output signal-linux.gpg

  rm temp-keyring.gpg

  sudo mv signal-linux.gpg /usr/share/keyrings/

  sudo gedit /etc/apt/sources.list.d/signal-xenial.list

Now, paste

deb [signed-by=/usr/share/keyrings/signal-linux.gpg] https://updates.signal.org/desktop/apt xenial main

in that .list file. Next:

cd ..

sudo apt update

sudo apt install signal-desktop

This worked for me, though on a virtual machine for me to check my own command-sequence afterwards, it says Signal is now a broken package…

I’ll explain, to my best ability which isn’t the bees knees, what we are doing.

First, what cd /tmp does is it changes the directory (cd) we work in to the commonly used /tmp folder. Don’t store any books you’re working on in here, because the folder is cleaned up regularly.

We download the key file from Signal’s website, which we must not add to the formerly used /trusted.gpg.d because in doing so, you are allowing any signal coder to possibly edit your whole mainframe. Roughly speaking. You want them to only be able to change their own software.

We convert the key to the secure gpg format by first rendering a mock gpg file and then importing the keys.asc into it, all in a one-line command. Then, we generate an aptly named secure .gpg key-file from that imported key; signal-linux.gpg as I have called it. We can now remove (rm) the temporary, mock key file.

Instead of dragging the keyfile to the newly Debian-approved folder for third-party keys, I saved you an awkward holding of the mouse and then some “access denied” shame. You need to do this as a superior user: sudo, and what we do is move (mv) our file to the directory.

The contents of the .list file we are editing using GnomeEdit (gedit) are later read by apt update, and so apt update will stumble upon the pasted text; this program is for debian-based linux (deb), you can find its key here ([signed-by=..]) (which we just took pains to properly gpg the *** out of), and the URL is where you retrieve the updates and or install files.

Almost done! All the above finally allows us to type “sudo apt update” and then “sudo apt install signal-desktop”, and apt finds the green light in the form of our key. “Sure, I’ll install signal-desktop”, synaptic says to itself, “it’s secure, my user told me it is”.

P.S. For the security-enthusiasts here; Unfortunately, if you found a lonnng list of other keys in that (sudo apt-key list)-command, there’s a lot of reasons to consider backing up your essential files and reinstalling your linux, or otherwise move all the keys you find to the /usr/share/keyrings folder painstakingly one-at-a-time as per this post´s method, but custom for each one except Debian’s main trusted keys. Different story, and not mine to tell.

4 Comments Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s