In the 2018 race to re-invent AOL instant messenger Signal comes out on top of the competition for end-to-end encryption and a focus on privacy and security. Signal desktop was recently released for Windows, Mac and only Debian-based Linux distributions with no official RPM available. Here’s how to use app sandboxing with Flatpak to get it running nicely.
Getting Started with Flatpak
Flatpak is a containerized application framework that uses ostree for updates and management. It is also independent of distribution which comes in useful for applications that might have native Linux applications but no packages available for your distribution yet. Lastly the application is sandboxed from the rest of the system so there’s some utility in just running things that way anyway.
First you’ll need to install it for Fedora with the following commands as root.
dnf install flatpak
Once the flatpak framework is installed everything else is run as your local user.
Install Flathub Repo
Obtain the Flathub repository, this is sort of like an RPM repository for flatpak packages.
flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
Flatpak should prompt you with PackageKit authorization (this is a good thing, read below about why we’re not using Docker instead):
You can find other Flathub flatpak packages here.
Install Signal Flatpak
Now you’ll want the Signal flatpak, run this to install it as your local user:
flatpak install https://flathub.org/repo/appstream/org.signal.Signal.flatpakref
You’ll see some dependencies being pulled down also.
Installing: org.signal.Signal/x86_64/stable Required runtime for org.signal.Signal/x86_64/stable (org.freedesktop.Platform/x86_64/1.6) is not installed, searching... Found in remote flathub, do you want to install it? [y/n]: y Installing: org.freedesktop.Platform/x86_64/1.6 from flathub [######- ] Downloading: 35.6 MB/136.2 MB (1.3 MB/s)
Once finished you should see it under the flatpak list command along with any dependencies that were pulled in
flatpak list
Ref Options org.signal.Signal/x86_64/stable system,current org.freedesktop.Platform.VAAPI.Intel/x86_64/1.6 system,runtime org.freedesktop.Platform.ffmpeg/x86_64/1.6 system,runtime org.freedesktop.Platform/x86_64/1.6 system,runtime
Running Signal
At this point you can run Signal via the following command:
flatpak run org.signal.Signal/x86_64/stable
It will prompt you to scan the QR code on your phone Signal app then things should work.
Update: Creating the below .desktop file should no longer be necessary with Flatpak, however I’m leaving this in here for posterity (or if for some reason it does not create one for you).
We’re going to setup a freedesktop.org .desktop file so it makes a nice pretty icon.
cat > ~/.local/share/applications/signal.desktop << EOF [Desktop Entry] Name=Signal Desktop Comment=Signal Private Messenger Exec=flatpak run org.signal.Signal/x86_64/stable Icon=/var/lib/flatpak/app/org.signal.Signal/x86_64/stable/active/files/share/icons/hicolor/64x64/apps/org.signal.Signal.png Terminal=false Type=Application Categories=Internet; EOF
Now you should be able to run Signal from your application menu or nest it within plank or an application launcher. Now we have a sweet application icon.
Updating Signal
You can update flatpaks by running the update command
flatpak update org.signal.Signal/x86_64/stable
You can also get more info about any available flatpaks via the info command:
flatpak info org.signal.Signal/x86_64/stable
Ref: app/org.signal.Signal/x86_64/stable ID: org.signal.Signal Arch: x86_64 Branch: stable Origin: flathub Date: 2018-03-14 17:31:57 +0000 Subject: update to v1.6.0 (90263399) Commit: f3cce0883a929017e933dcb3bd2eccfd3fc7c99f3199de4cd878d Parent: ae745b3ff32255fe69666b0b7b83b75780108484ca5b366a7c4f9 Location: /var/lib/flatpak/app/org.signal.Signal/x86_64/stable/f3c Installed size: 225.9 MB Runtime: org.freedesktop.Platform/x86_64/1.6
Updating Everything
You can run the update command by itself to update all the dependencies and and Flatpak applications at once.
flatpak update
Using Signal
I quite like Signal and their focus on privacy and security. It’s important to note Google will be discontinuing Google chrome apps in 2018 as they do with most things people find useful for too long. It’s good to start thinking about moving over common applications you might use on the desktop that previously relied on using a chrome app. In this case flatpak makes this easier.
Update: Someone has made an unofficial Fedora COPR repository that provides Signal desktop via RPM on Fedora or CentOS/RHEL.
Why FlatPak (App Sandboxing) instead of Docker?
There’s a good thread on Reddit that explains the differences between Docker vs. Flatpak in more detail than I need to here. For my usage with desktop applications Docker is not the best choice. The main reasons why I believe Docker is not a good choice for this are around standards compatibility, modularity and overall security.
Flatpak app sandboxing has the ability to update/manage individual sub-dependencies (e.g. Xorg, libraries, etc) without having to spin up a new container – it’s modular instead of monolithic.
Another reason is security, with Flatpak application binaries are sandboxed entirely as your non-root user. Docker has no concept of FreeDesktop.org access control (privilege elevation, PackageKit, ConsoleKit, etc) whereas FlatPak app sandboxing operates strictly under these well-defined and documented guidelines/specifications.
It’s more possible (though usually unlikely) something could escape the cgroup confines of a container and become a vector, you really need to trust what you’re running as a container. For containerized Xorg desktop apps you also need to give it an X11 socket.
X11/Xorg runs via an suid root wrapper on most distributions and a historically less-than-stellar security track record. Yes, you can reconfigure Xorg/X11 to run without root rights but nobody does this.
Lastly FreeDesktop.org standards compliance is important, and Flatpak is built upon this. Flatpak is made for X11 application sandboxing and has a very strict package submission process and requires that it also passes test coverage and standards enforcement. This sort of scrutiny isn’t in place at say, Dockerhub.
Docker/LXC/containers certainly have their place in a lot of solutions and really empower services, micro-services and many other use cases but here I think Flatpak application sandboxing instead of a full-blown container is a better solution as it deals with X11/Xorg applications like Signal.
hobo.house 
Thanks Will! :)
LikeLike
Nice post!
Will this flatpak work with Wayland?
What is the trust model with flatpaks in general and this one specifically? I.e., how do we know this isn’t a MitM, Trojan, etc.?
Thanks for updating your post with the COPR RPM availability. Do you have any comments about its trust model?
LikeLike
Flatpaks on flathub have a pretty strict submission policy so generally speaking they should be mostly trustworthy, but with anything it’s always best to interrogate the source.
Sorry, I don’t know about Wayland but I imagine it should work fine as Flatpak also handles the graphics library required depending on your video card (for my desktop for example it fetches the latest Nvidia libs isolated in their own area).
LikeLike
There is no need to manually create a desktop file. Flatpak will do that automatically for you. Its possible you need to log out+in once after the first time you installed flatpak to get the custom .desktop file directory into the XDG_DATA_DIRS env var though.
LikeLike
It didn’t used to always do this, hence why it’s in the guide. I noticed that it does this now for most flatpaks however – updated guide to reflect, thanks for the feedback.
LikeLike
I accidentally archived a group message list – I can still see it on Android but I would like to unarchive it Fedora – is this possible?
Thanks,
Phil.
LikeLike
Hey Phil, I’m not sure – what happens if you try to reply to it on Android – maybe it will reconstitute on Fedora?
LikeLike
always a good day when google brings me to hobo.house to solve a problem I was looking for a solution to
LikeLiked by 1 person
Hi Wil,
many thanks! Just did a clean install of Fedora 30 and added Signal. Run into a blank screen when starting Signal. Any ideas? Happy to share the Terminal output, though I do not want to clut your blog.
LikeLike
Hey Sten, you can try pastebinning it here https://paste.fedoraproject.org/ would be happy to look. I’ve only seen that happen on certain Intel integrated GPU systems and a flatpak update pulled in an update for GPU libraries that fixed it for me.
LikeLike
Thank you for the thorough bang up job of writing this up! I was having some difficulty with the other sources of information online and was missing the nugget:
flatpak remote-add –if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
Once I added flathub as the remote, I was able to get this working!
LikeLike
Any recommendations on getting Signal to run at startup and run as a backgroun process? I don’t know if there’s a flatpak friendly way of doing this here in 2022, and Signal itself doesn’t seem to be OS aware enough to have a simple “Run at Startup” option. I keep forgetting to fire up Signal when I log in which of course makes it harder to keep in touch with people messaging me!
LikeLike
Hey Jeff, autostart is going to depend a lot on what Desktop Environment you are using. For XFCE at least in my case there’s an area where you can add/remove/manage start-up apps.
I would find the respective area in your Desktop Environment for autostart and add the flatpak launch command to start Signal and see if that does it for you.
flatpak run org.signal.Signal
LikeLike
I have a question regarding parameters regarding signal-desktop.
I tried flatpak run signal-desktop –no-sandbox %U –start-in-tray. But I got this message: Invalid id signal-desktop: Only last name segment can contain –
I also tried in single (‘) quotation marks; but also this does not work.
So I can I solve this problem?
LikeLike
Flatpak should create a .desktop file for you (typically ~/.local/share/applications/signal.desktop) so in your window manager it’s in your application menu, but you should be running it via “flatpak run org.signal.Signal/x86_64/stable” not “flatpak run signal-desktop” I believe.
LikeLike