In the 2018 race to re-invent AOL instant messenger Signal comes out on top of the competition for end-to-end encryption and a focus on privacy and security. Signal desktop was recently released for Windows, Mac and only Debian-based Linux distributions with no official RPM available. Here’s how to use app sandboxing with Flatpak to get it running nicely.
Getting Started with Flatpak
Flatpak is a containerized application framework that uses ostree for updates and management. It is also independent of distribution which comes in useful for applications that might have native Linux applications but no packages available for your distribution yet. Lastly the application is sandboxed from the rest of the system so there’s some utility in just running things that way anyway.
First you’ll need to install it for Fedora with the following commands as root.
dnf install flatpak
Once the flatpak framework is installed everything else is run as your local user.
Install Flathub Repo
Obtain the Flathub repository, this is sort of like an RPM repository for flatpak packages.
flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
Flatpak should prompt you with PackageKit authorization (this is a good thing, read below about why we’re not using Docker instead):
You can find other Flathub flatpak packages here.
Install Signal Flatpak
Now you’ll want the Signal flatpak, run this to install it as your local user:
flatpak install https://flathub.org/repo/appstream/org.signal.Signal.flatpakref
You’ll see some dependencies being pulled down also.
Installing: org.signal.Signal/x86_64/stable Required runtime for org.signal.Signal/x86_64/stable (org.freedesktop.Platform/x86_64/1.6) is not installed, searching... Found in remote flathub, do you want to install it? [y/n]: y Installing: org.freedesktop.Platform/x86_64/1.6 from flathub [######- ] Downloading: 35.6 MB/136.2 MB (1.3 MB/s)
Once finished you should see it under the flatpak list command along with any dependencies that were pulled in
Ref Options org.signal.Signal/x86_64/stable system,current org.freedesktop.Platform.VAAPI.Intel/x86_64/1.6 system,runtime org.freedesktop.Platform.ffmpeg/x86_64/1.6 system,runtime org.freedesktop.Platform/x86_64/1.6 system,runtime
At this point you can run Signal via the following command:
flatpak run org.signal.Signal/x86_64/stable
It will prompt you to scan the QR code on your phone Signal app then things should work.
We’re going to setup a freedesktop.org .desktop file so it makes a nice pretty icon.
cat > ~/.local/share/applications/signal.desktop << EOF [Desktop Entry] Name=Signal Desktop Comment=Signal Private Messenger Exec=flatpak run org.signal.Signal/x86_64/stable Icon=/var/lib/flatpak/app/org.signal.Signal/x86_64/stable/active/files/share/icons/hicolor/64x64/apps/org.signal.Signal.png Terminal=false Type=Application Categories=Internet; EOF
Now you should be able to run Signal from your application menu or nest it within plank or an application launcher. Now we have a sweet application icon.
You can update flatpaks by running the update command
flatpak update org.signal.Signal/x86_64/stable
You can also get more info about any available flatpaks via the info command:
flatpak info org.signal.Signal/x86_64/stable
Ref: app/org.signal.Signal/x86_64/stable ID: org.signal.Signal Arch: x86_64 Branch: stable Origin: flathub Date: 2018-03-14 17:31:57 +0000 Subject: update to v1.6.0 (90263399) Commit: f3cce0883a929017e933dcb3bd2eccfd3fc7c99f3199de4cd878d Parent: ae745b3ff32255fe69666b0b7b83b75780108484ca5b366a7c4f9 Location: /var/lib/flatpak/app/org.signal.Signal/x86_64/stable/f3c Installed size: 225.9 MB Runtime: org.freedesktop.Platform/x86_64/1.6
You can run the update command by itself to update all the dependencies and and Flatpak applications at once.
I quite like Signal and their focus on privacy and security. It’s important to note Google will be discontinuing Google chrome apps in 2018 as they do with most things people find useful for too long. It’s good to start thinking about moving over common applications you might use on the desktop that previously relied on using a chrome app. In this case flatpak makes this easier.
Update: Someone has made an unofficial Fedora COPR repository that provides Signal desktop via RPM on Fedora or CentOS/RHEL.
Why FlatPak (App Sandboxing) instead of Docker?
There’s a good thread on Reddit that explains the differences between Docker vs. Flatpak in more detail than I need to here. For my usage with desktop applications Docker is not the best choice. The main reasons why I believe Docker is not a good choice for this are around standards compatibility, modularity and overall security.
Flatpak app sandboxing has the ability to update/manage individual sub-dependencies (e.g. Xorg, libraries, etc) without having to spin up a new container – it’s modular instead of monolithic.
Another reason is security, with Flatpak application binaries are sandboxed entirely as your non-root user. Docker has no concept of FreeDesktop.org access control (privilege elevation, PackageKit, ConsoleKit, etc) whereas FlatPak app sandboxing operates strictly under these well-defined and documented guidelines/specifications.
It’s more possible (though usually unlikely) something could escape the cgroup confines of a container and become a vector, you really need to trust what you’re running as a container. For containerized Xorg desktop apps you also need to give it an X11 socket.
X11/Xorg runs via an suid root wrapper on most distributions and a historically less-than-stellar security track record. Yes, you can reconfigure Xorg/X11 to run without root rights but nobody does this.
Lastly FreeDesktop.org standards compliance is important, and Flatpak is built upon this. Flatpak is made for X11 application sandboxing and has a very strict package submission process and requires that it also passes test coverage and standards enforcement. This sort of scrutiny isn’t in place at say, Dockerhub.
Docker/LXC/containers certainly have their place in a lot of solutions and really empower services, micro-services and many other use cases but here I think Flatpak application sandboxing instead of a full-blown container is a better solution as it deals with X11/Xorg applications like Signal.