Is signal-cli secure?

I would like to use signal-desktop without having a smartphone to register.

In one of Micah Lee’s article (https://theintercept.com/2017/09/28/signal-tutorial-second-phone-number/), I see that I can use signal-cli (https://github.com/AsamK/signal-cli).

Even if I fully trust Micah, his article is a bit dated (September 28 2017).

Question 1: how can I be sure that signal-cli is (still) trustworthy?
Question 2: Isn’t it a bit funny that the package is not signed? Wouldn’t it be nice if the fingerprint of the key would be available on Signal’s website? Why is it not so to prove that Signal endorses signal-cli?

NB: If signal-cli is prooved trustworthy, I intend to follow this procedure to link my signal-desktop with my signal-cli: https:// ctrl.alt.coop/en/post/signal-without-a-smartphone/

Thank you for your thoughts! Much appreciated!!

PS: As you know, only 2 links are allowed to newcomers —> I introduced a space in the 3rd URL

Usually, people say “it is open-source software, so everybody can check the code.”

Is this realistic for non-technical people? Most likely not. If you can’t check the code yourself, trust comes into play. Therefore, you need to trust the developer of signal-cli or some third parties who say that it is trustworthy (hopefully with some in-depth explanation).

signal-cli is an unofficial Signal client, so Signal (the NPO) won’t sign any packages.

i never saw this app before, tell me more about it. im curios
Like i can sign up without any phone number what so ever? or at least i need one?

Exactly! And that is why I came here.
Actually, I was thinking of you when posting and hoped you were using it and therefore could “vouch for” it. :slight_smile:

Talking of trust, may I digress a bit off of signal-cli and ask: Are we sure a package that is part of a distribution (Debian, Fedora, etc.) is trustworthy?
I know it must depends on the distribution’s procedure and I know e.g. Debian has sid, testing and stable but my question is more: Is there somebody at e.g. Debian that checks the source code of packages before incorporating them in the distribution? If not, how do they ensure they do not put crap in their distribution?

While I am here, @infosechandbook, I take the opportunity to thank you for all your contributions:

The 2nd link of my initial post should satisfy your curiosity.
Extracts of its 1st paragraph:

[signal-cli] supports registering, verifying, sending and receiving messages.

For registering you need a phone number where you can receive SMS or incoming calls.

I know Signal is working on this feature but, AFAIK, we are not there yet.
My goal is to use signal-desktop with a second phone number without having to invest in a 2nd smartphone.
I am counting on signal-cli and on this procedure (https:// ctrl.alt.coop /en/ post/ signal-without-a-smartphone/) to achieve that goal.

If any of you had similar goals & experiences, I’d be happy to hear from you.

PS: As you know, only 2 links are allowed to newcomers —> I introduced spaces in URLs

1 Like

do `` (ex url.com)


also if it makes you feel good, i will use that program and tell you about my experience while i’m working with it


omg OMG. signal-cli is good and bad, for me i got some errors like i added registration pin and it turned out signal changed it’s way to handle those pins so i had to reinstall signal on my phone and remove it. its over all good app but those downsides i hope they fix it (also i hope they enable read notifications on messages)

Yes, we do use signal-cli on some of our servers to get status notifications. We do not use it for daily chats with friends or family.

Would we “vouch for” it?
No, because we didn’t check its code, and we know that “everybody can check the code” is unrealistic in most cases. Why? Because most projects consist of thousands of lines of code + imported dependencies that one needs to check. Checking all of this only with your eyes while keeping track of every single function, variable, etc. is impossible. On the other hand, using some static code analyzer isn’t sufficient since they only find a small number of possible vulnerabilities. For instance, tools can hardly detect any logic flaws. Apart from this, in some programming languages, you have compiler-specific or undefined behavior (e.g., in C). This means that your compiled code and the behavior can differ, depending on the compiler you use. While a function may be “secure” when using compiler A, it can be insecure when using compiler B. There are many more problems when it comes to “everybody can check the code.”