Using Signal Desktop on Fedora with Flatpak

In the 2018 race to re-invent AOL instant messenger Signal comes out on top of the competition for end-to-end encryption and a focus on privacy and security.  Signal desktop was recently released for Windows, Mac and only Debian-based Linux distributions with no official RPM available.  Here’s how to use app sandboxing with Flatpak to get it running nicely.

 

Getting Started with Flatpak
Flatpak is a containerized application framework that uses ostree for updates and management.  It is also independent of distribution which comes in useful for applications that might have native Linux applications but no packages available for your distribution yet.  Lastly the application is sandboxed from the rest of the system so there’s some utility in just running things that way anyway.

First you’ll need to install it for Fedora with the following commands as root.

dnf install flatpak

Once the flatpak framework is installed everything else is run as your local user.

Install Flathub Repo
Obtain the Flathub repository, this is sort of like an RPM repository for flatpak packages.

flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo

Flatpak should prompt you with PackageKit authorization (this is a good thing, read below about why we’re not using Docker instead):

You can find other Flathub flatpak packages here.

Install Signal Flatpak
Now you’ll want the Signal flatpak, run this to install it as your local user:

flatpak install https://flathub.org/repo/appstream/org.signal.Signal.flatpakref

You’ll see some dependencies being pulled down also.

Installing: org.signal.Signal/x86_64/stable
Required runtime for org.signal.Signal/x86_64/stable 
(org.freedesktop.Platform/x86_64/1.6) is not installed, searching...
Found in remote flathub, do you want to install it? [y/n]: y
Installing: org.freedesktop.Platform/x86_64/1.6 from flathub
[######- ] Downloading: 35.6 MB/136.2 MB (1.3 MB/s)

Once finished you should see it under the flatpak list command along with any dependencies that were pulled in

flatpak list
Ref                                             Options 
org.signal.Signal/x86_64/stable                 system,current
org.freedesktop.Platform.VAAPI.Intel/x86_64/1.6 system,runtime
org.freedesktop.Platform.ffmpeg/x86_64/1.6      system,runtime
org.freedesktop.Platform/x86_64/1.6             system,runtime

Running Signal
At this point you can run Signal via the following command:

flatpak run org.signal.Signal/x86_64/stable

It will prompt you to scan the QR code on your phone Signal app then things should work.

We’re going to setup a freedesktop.org .desktop file so it makes a nice pretty icon.

cat > ~/.local/share/applications/signal.desktop << EOF
[Desktop Entry]
Name=Signal Desktop
Comment=Signal Private Messenger
Exec=flatpak run org.signal.Signal/x86_64/stable
Icon=/var/lib/flatpak/app/org.signal.Signal/x86_64/stable/active/files/share/icons/hicolor/64x64/apps/org.signal.Signal.png
Terminal=false
Type=Application
Categories=Internet;

EOF

Now you should be able to run Signal from your application menu or nest it within plank or an application launcher.  Now we have a sweet application icon.

Updating Signal
You can update flatpaks by running the update command

flatpak update org.signal.Signal/x86_64/stable

You can also get more info about any available flatpaks via the info command:

flatpak info org.signal.Signal/x86_64/stable
Ref: app/org.signal.Signal/x86_64/stable
ID: org.signal.Signal
Arch: x86_64
Branch: stable
Origin: flathub
Date: 2018-03-14 17:31:57 +0000
Subject: update to v1.6.0 (90263399)
Commit: f3cce0883a929017e933dcb3bd2eccfd3fc7c99f3199de4cd878d
Parent: ae745b3ff32255fe69666b0b7b83b75780108484ca5b366a7c4f9
Location: /var/lib/flatpak/app/org.signal.Signal/x86_64/stable/f3c
Installed size: 225.9 MB
Runtime: org.freedesktop.Platform/x86_64/1.6

Updating Everything
You can run the update command by itself to update all the dependencies and and Flatpak applications at once.

flatpak update

Using Signal
I quite like Signal and their focus on privacy and security.  It’s important to note Google will be discontinuing Google chrome apps in 2018 as they do with most things people find useful for too long.  It’s good to start thinking about moving over common applications you might use on the desktop that previously relied on using a chrome app.  In this case flatpak makes this easier.

Update: Someone has made an unofficial Fedora COPR repository that provides Signal desktop via RPM on Fedora or CentOS/RHEL.

Why FlatPak (App Sandboxing) instead of Docker?
There’s a good thread on Reddit that explains the differences between Docker vs. Flatpak in more detail than I need to here.  For my usage with desktop applications Docker is not the best choice.  The main reasons why I believe Docker is not a good choice for this are around standards compatibility, modularity and overall security.

Flatpak app sandboxing has the ability to update/manage individual sub-dependencies (e.g. Xorg, libraries, etc) without having to spin up a new container – it’s modular instead of monolithic.

Another reason is security, with Flatpak application binaries are sandboxed entirely as your non-root user.  Docker has no concept of FreeDesktop.org access control (privilege elevation, PackageKit, ConsoleKit, etc) whereas FlatPak app sandboxing operates strictly under these well-defined and documented guidelines/specifications.

It’s more possible (though usually unlikely) something could escape the cgroup confines of a container and become a vector, you really need to trust what you’re running as a container.  For containerized Xorg desktop apps you also need to give it an X11 socket.

X11/Xorg runs via an suid root wrapper on most distributions and a historically less-than-stellar security track record.  Yes, you can reconfigure Xorg/X11 to run without root rights but nobody does this.

Lastly FreeDesktop.org standards compliance is important, and Flatpak is built upon this.  Flatpak is made for X11 application sandboxing and has a very strict package submission process and requires that it also passes test coverage and standards enforcement.  This sort of scrutiny isn’t in place at say, Dockerhub.

Docker/LXC/containers certainly have their place in a lot of solutions and really empower services, micro-services and many other use cases but here I think Flatpak application sandboxing instead of a full-blown container is a better solution as it deals with X11/Xorg applications like Signal.

About Will Foster

hobo devop/sysadmin, all-around nice guy.
This entry was posted in open source, sysadmin and tagged , , , , , , , , , , . Bookmark the permalink.

Have a Squat, Leave a Reply ..

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s