Import/Export loses images

[thrillfall]

I "updated" to LibreSignal 3.8.1. Since this version is signed with a new key i had to uninstall the 3.8.0 version and install 3.8.1. Before i deleted the old version i exported (plaintext) my messages and had them imported within the new version. Problem is that the import is missing all images in the chat history. Is that a general Signal problem (i didn't find indication for that) or is this missing in LibreSignal?

[xmikos]

If you are upgrading from official Signal to LibreSignal (it doesn't matter if standard version from main repository or WebSocket-fork from experimental repository), you always have to uninstall Signal first (because LibreSignal builds are signed by my own keys - I don't have access to Open Whisper Systems keys).

Main problem is that plaintext export in Signal doesn't export your Signal keys. Only plaintext messages are exported, nothing more, so basically it is useless. There has been complete (encrypted) backup option in older versions of TextSecure, but unfortunately it has been removed. Few versions back at least Android backup (via ADB) has been possible, but Signal developers disabled this option too.

So now it is only possible to make backup if you have root access on your device. You can use opensource OAndBackup app for it.

[BeauRugHill]

Please clarify, did you not change the signing key at the transition to version 3.8.1 ? I had the previous version installed from the eutopia.cz repo and still got the "signed with new key" situation thrillfall describes.

[thrillfall]

OK. Thanks. But how come the last 2 releases on your repo are signed with a different key than the one before? This was never the case with releases before

[xmikos]

@BeauRugHill @thrillfall I did not change signing key in latest builds. Signature for every build of LibreSignal (org.thoughtcrime.securesms) from https://fdroid.eutopia.cz (it doesn't matter if standard or websocket version) should be like this:

$ keytool -list -printcert -jarfile org.thoughtcrime.securesms_179.apk
Signer #1:

Signature:

Owner: CN=Michal Krenek, O=eutopia.cz, L=Prague, C=CZ
Issuer: CN=Michal Krenek, O=eutopia.cz, L=Prague, C=CZ
Serial number: 68b3f02d
Valid from: Mon Jun 22 22:59:53 CEST 2015 until: Fri Nov 07 21:59:53 CET 2042
Certificate fingerprints:
         MD5:  5B:44:64:CC:7F:A9:83:AB:E9:D3:4D:48:A8:C5:0D:BE
         SHA1: 31:92:73:6C:3B:86:02:44:70:24:89:7F:89:86:24:2B:64:FB:5C:20
         SHA256: 3C:44:09:18:29:23:95:61:17:98:1D:C6:A1:6E:8E:A6:45:76:3D:7A:32:0E:CB:7B:2F:37:21:87:55:90:93:1A
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6E 87 51 5D 77 FA A4 B8   50 CD 4B 61 97 98 2A C1  n.Q]w...P.Ka..*.
0010: 1C 05 78 81                                        ..x.
]
]

You can check yours with keytool too. Are you sure previous versions were installed from my repo and not from somewhere else? Please post your outputs from keytool here, this is really strange and if it is not some mistake, can be potential MITM attack.

I have rechecked signatures of LibreSignal apks on https://fdroid.eutopia.cz and everything seems OK, so repository shouldn't be compromised. But we should investigate it more thoroughly...

[xmikos]

@thrillfall You have written:

Since this version is signed with a new key i had to uninstall the 3.8.0 version and install 3.8.1.

But I have never released build of version 3.8.0. Previous versions before 3.8.1 in main repository have been 3.6.0 and 3.3.1. Previous versions in experimental repository have been 3.6.1-websocket and 3.3.1-websocket.

[BeauRugHill]

@xmikos, thank you for that information and for your efforts!

I have extracted the apk of my phone's current Signal version 3.9.0, upgraded smoothly without uninstall from 3.8.0 which I had on December 23.

$ keytool -list -printcert -jarfile org.thoughtcrime.securesms.apk
Signer #1:

Signature:

Owner: CN=Kraut, OU=Kraut, O=Kraut, L=Kraut, ST=KR, C=KR
Issuer: CN=Kraut, OU=Kraut, O=Kraut, L=Kraut, ST=KR, C=KR
Serial number: 652d8b5b
Valid from: Sat Aug 09 01:23:10 CEST 2014 until: Wed Dec 25 00:23:10 CET 2041
Certificate fingerprints:
     MD5:  5D:98:67:B5:8A:9E:FC:B6:DD:B6:2F:C9:39:D4:FF:5C
     SHA1: C4:56:5B:71:C0:40:97:18:56:24:52:70:74:C9:76:5E:22:33:5A:08
     SHA256: 6E:30:D6:6E:5B:00:26:23:06:F2:8A:00:58:56:06:DB:2C:12:BC:49:5E:42:48:59:C8:26:A6:86:BF:0E:99:92
     Signature algorithm name: SHA256withRSA
     Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F6 E3 91 0F A1 CF EF A7   9F 39 7E F0 98 98 AE 1A  .........9......
0010: BA 49 68 F2                                        .Ih.
]
]

I have also checked another apk and noted that this output is identical to the keytool output from microG Services Framework version 0.0.1, which should be served to my F-droid from another external repository: http://fdroid.o9i.de (see http://o9i.de/2015/10/23/howto-gmscore.html) I was not aware that they provide a Signal build (and really wish F-droid offered a clear interface for showing and controlling from which repository applications are drawn) but if that repo does offer one it looks like a favorable possible scenario of what's going on is that I was mistaken about the source repository and have been surprised by a legitimate different build that I was not aware existed. @thrillfall, is this a possible explanation for you as well? My phone runs Cyanogenmod, with applications installed only through F-droid, and with only these two extra repos added so I see no other possibilities for a mistake. Please note that I can't tell between that and far less favorable scenarios yet. I am new to custom repositories for F-droid and have not found any good way to inspect the contents of the one at http://fdroid.o9i.de ; I must to my embarrassment confess that the whole extent of my security measures in this case was to enter the stated SHA-256 ("SHA-256 fingerprint of the signing key is c93b9baccccccc973fbef19bea60733229c59ce79f54d04878b604baab502a0d.") when adding the repo. Suggestions for how to go on from here would be welcome.

[thrillfall]

But I have never released build of version 3.8.0

That shocked me quite a bit :-)

@BeauRugHill Yes, i have the same setup with only xmikos and o9i repo. If o9i does supply a signal build than that could be the origin of the infamous 3.8.1 build (cant verify since the repo seems to be down)

FYI there is an issue pending for showing the origin of a build for the android f-droid app: https://gitlab.com/fdroid/fdroidclient/issues/527

[xmikos]

@BeauRugHill @thrillfall Great, I am glad that it has been resolved and no MITM has occurred ;-) I have added my thoughts to that F-Droid issue on GitLab. I am closing this now.