Changes

Page history
Moved back to provided deb packages, section remove unused files from... authored by about:privacy's avatar about:privacy 
Moved back to provided deb packages, section remove unused files from previouse installations, cleaned up the guide, added security warning about installation of additional software and 3rd party repos
Show whitespace changes
Inline Side-by-side
Signal/Registration-and-Provisioning-via-signal-cli.md
View page @ 2c510a6a
_This guide has been tested with Tails OS versions **6.10** and **signal-cli-v0.13.11**_ _This guide has been tested with Tails OS versions **6.11** and **signal-cli-v0.13.11**
This guide uses apt repositories for installing and updating signal-cli. [Every time Tails starts it installs and if you are connected also checks for updates on additional software](https://tails.net/doc/persistent_storage/additional_software/index.en.html#index3h2) and brings signal-cli up-to-date. No manual updates for signal-cli needed anymore. If you have used this guide previously before January 11th, 2025, follow all steps and optionally _Remove older installation of this guide_ to free up space.
**Notes**: **Notes**:
* Many steps happen in the _Terminal_. To paste content in the terminal, either right-click in the terminal and choose Paste, or use CTRL-SHIFT-V (not CTRL-V). * Many steps happen in the _Terminal_. To paste content in the terminal, either right-click in the terminal and choose Paste, or use CTRL-SHIFT-V (not CTRL-V).
* **Do NOT use the _Root Terminal_** or instructions won't work! * **Do NOT use the _Root Terminal_** if not explicitly asked for or instructions won't work!
* A working **internet connection is required** at every step of the howto. * A working **internet connection is required** at every step of the howto.
* The packages included in Tails are carefully tested for security. Installing additional packages might break the security built in Tails, so [be careful with what you install](https://tails.net/doc/persistent_storage/additional_software/index.en.html#warning).
* Configuring additional APT repositories might break the security built in Tails and might install software that has not even been approved by Debian. Be even more careful with what you install. Installing signal-cli increases the attack surface of your Tails system.
## Persistent Storage ## Persistent Storage
...@@ -20,170 +24,90 @@ sudo sed -i '$ a /home/amnesia/.local/share/signal-cli/ source=signal-cli' /live ...@@ -20,170 +24,90 @@ sudo sed -i '$ a /home/amnesia/.local/share/signal-cli/ source=signal-cli' /live
7. Shutdown Tails. 7. Shutdown Tails.
<!-- ## ~~Configuring additional APT repositories for signal-cli~~ ## Configuring additional APT repositories for signal-cli
<details>
<summary>
~~DEPRECEATED due to signal-cli >= v.0.11.11 requires libc6 <= 2.34~~ 1. Start your Tails unlocking your persistent storage and setup an administration password, follow section *Set up an administration password\* at https://tails.boum.org/doc/first_steps/welcome_screen/administration_password
</summary> 2. Choose Applications ▸ System Tools ▸ Root Terminal, use the password set in step 1.
3. Create an apt-sources.list.d folder in your Persistent Storage:
1. ~~Start your Tails unlocking your persistent storage and setup an administration password, follow section *Set up an administration password\* at <span dir="">\~\~\~\~</span>\~\~\~\~~~~~https://tails.boum.org/doc/first_steps/welcome_screen/administration_password~~
2. ~~Choose Applications ▸ System Tools ▸ Root Terminal use the password set in step 1.~~
3. ~~Create an apt-sources.list.d folder in your Persistent Storage:~~
```plaintext ```plaintext
install -d -m 755 /live/persistence/TailsData_unlocked/apt-sources.list.d install -d -m 755 /live/persistence/TailsData_unlocked/apt-sources.list.d
``` ```
5. ~~We need to make the `apt-sources.list.d` folder persistent, by executing:~~ 4. We need to make the `apt-sources.list.d` folder persistent, by executing:
```plaintext ```plaintext
sed -i '$ a /etc/apt/sources.list.d source=apt-sources.list.d,link' /live/persistence/TailsData_unlocked/persistence.conf sed -i '$ a /etc/apt/sources.list.d source=apt-sources.list.d,link' /live/persistence/TailsData_unlocked/persistence.conf
``` ```
6. ~~Now we add the ~~[~~signal-cli debian repository~~](https://packaging.gitlab.io/signal-cli/installation/standalone/#repository)~~ to a new file `/live/persistence/TailsData_unlocked/apt-sources.list.d/morph027-signal-cli.list` and set correct file ownership and permissions:~~ 5. Now we add the [signal-cli debian repository](https://packaging.gitlab.io/signal-cli/installation/standalone/#repository) to a new file `/live/persistence/TailsData_unlocked/apt-sources.list.d/morph027-signal-cli.list` and set correct file ownership and permissions:
```plaintext
echo -e 'deb tor+https://packaging.gitlab.io/signal-cli signalcli main' | tee -a /live/persistence/TailsData_unlocked/apt-sources.list.d/morph027-signal-cli.list && chown root:root /live/persistence/TailsData_unlocked/apt-sources.list.d/morph027-signal-cli.list && chmod 644 /live/persistence/TailsData_unlocked/apt-sources.list.d/morph027-signal-cli.list
```
7. ~~We need to download and add the signal-cli's repo signing key to apt:~~
```plaintext ```plaintext
torify wget --retry-connrefused -O /home/amnesia/Persistent/morph027-signal-cli.asc https://packaging.gitlab.io/signal-cli/gpg.key && chown amnesia:amnesia /home/amnesia/Persistent/morph027-signal-cli.asc && cp /home/amnesia/Persistent/morph027-signal-cli.asc /etc/apt/trusted.gpg.d/ echo -e 'deb [signed-by=/usr/share/keyrings/persistent/morph027-signal-cli.asc] tor+https://packaging.gitlab.io/signal-cli signalcli main' | tee -a /live/persistence/TailsData_unlocked/apt-sources.list.d/morph027-signal-cli.list && chown root:root /live/persistence/TailsData_unlocked/apt-sources.list.d/morph027-signal-cli.list && chmod 644 /live/persistence/TailsData_unlocked/apt-sources.list.d/morph027-signal-cli.list
``` ```
8. ~~Create a script for adding the signing key to apt, this needs to be done due to ~~[~~Tails not allowing to add Keys of 3rd party repos~~](https://gitlab.tails.boum.org/tails/tails/-/issues/17510)~~:~~ 7. We need to download and add the signal-cli's repo signing key to apt and persist it since [Tails doesn't support 3rd party repo keys](https://gitlab.tails.boum.org/tails/tails/-/issues/17510) natively:
```plaintext ```plaintext
echo -e '#/bin/sh\nsudo cp /home/amnesia/Persistent/morph027-signal-cli.asc /etc/apt/trusted.gpg.d/' | tee -a /home/amnesia/Persistent/apt-keys.sh && chown amnesia:amnesia /home/amnesia/Persistent/apt-keys.sh && chmod +x /home/amnesia/Persistent/apt-keys.sh sed -i '$ a /usr/share/keyrings/persistent source=apt/keyrings' /live/persistence/TailsData_unlocked/persistence.conf && install -d -m 755 /live/persistence/TailsData_unlocked/apt/keyrings && sudo -u amnesia wget --retry-connrefused -O /tmp/morph027-signal-cli.asc https://packaging.gitlab.io/signal-cli/gpg.key && cp /tmp/morph027-signal-cli.asc /live/persistence/TailsData_unlocked/apt/keyrings/morph027-signal-cli.asc
``` ```
9. Shutdown Tails.
9. ~~Shutdown Tails.~~
</details>-->
## Install signal-cli ## Install signal-cli
**WARNING: In this section of the guide this is explained for signal-cli-0.13.11 released December 26th, 2024. This version might become outdated if this guide is not updated regularly. Strongly recommended to use [latest signal-cli release](https://github.com/AsamK/signal-cli/releases/latest)**
1. Start your Tails unlocking your persistent storage and setup an administration password, follow section _Set up an administration password_ at https://tails.boum.org/doc/first_steps/welcome_screen/administration_password/. 1. Start your Tails unlocking your persistent storage and setup an administration password, follow section _Set up an administration password_ at https://tails.boum.org/doc/first_steps/welcome_screen/administration_password/.
2. Choose Applications ▸ System Tools ▸ Terminal 2. Choose Applications ▸ System Tools ▸ Terminal
<!--<details>
<summary>
~~DEPRECEATED due to signal-cli >= v.0.11.11 requires libc6 <= 2.34~~
</summary>
3\. <span dir="">\~\~</span>Run the script for adding signal-cli signing keys to apt:<span dir="">\~\~</span>
```plaintext
Persistent/apt-keys.sh
```
3. _~~Wait until additional software has been installed successfully~~_
</details>-->
3. Update repositories and install `ca-certificates-java` and `openjdk-21` executing 3. Update repositories and install `ca-certificates-java` and `openjdk-21` executing
```plaintext ```plaintext
sudo apt-get update && sudo apt-get install -y ca-certificates-java && wget https://download.oracle.com/java/21/latest/jdk-21_linux-x64_bin.deb -P /home/amnesia/Persistent/ && sudo dpkg -i /home/amnesia/Persistent/jdk-21_linux-x64_bin.deb sudo apt-get update && sudo apt-get install -y ca-certificates-java && wget https://download.oracle.com/java/21/latest/jdk-21_linux-x64_bin.deb -P /home/amnesia/Persistent/ && sudo dpkg -i /home/amnesia/Persistent/jdk-21_linux-x64_bin.deb
``` ```
<!--<details> 5. Install `signal-cli-native` executing
<summary>
~~DEPRECEATED due to signal-cli >= v.0.11.11 requires libc6 <= 2.34~~
</summary>
5. Install `signal-cli-jre` executing
```plaintext ```plaintext
sudo apt-get install -y signal-cli-jre sudo apt-get install -y signal-cli-native
``` ```
6. Make the installation persistent (_Install every time_) following step 3. at https://tails.boum.org/doc/persistent_storage/additional_software/#index4h2 6. Make the installation persistent (_Install every time_) following step 3. at https://tails.boum.org/doc/persistent_storage/additional_software/#index4h2
7. If more than one signal-cli-* is installed, we need to update-alternatives for signal-cli to run signal-cli-jre executing
7. Check installed version of signal-cli by running
```plaintext ```plaintext
sudo update-alternatives --install /usr/bin/signal-cli signal-cli /usr/bin/signal-cli-jre 0 signal-cli version
``` ```
</details>-->
4. Make the installation persistent (_Install every time_) following step 3. at https://tails.boum.org/doc/persistent_storage/additional_software/#index4h2
5. Download `signal-cli-0.13.11` and signature file, executing:
```plaintext
wget https://github.com/AsamK/signal-cli/releases/download/v0.13.11/signal-cli-0.13.11.tar.gz -P /home/amnesia/Persistent/ && wget https://github.com/AsamK/signal-cli/releases/download/v0.13.11/signal-cli-0.13.11.tar.gz.asc -P /home/amnesia/Persistent/
```
6. As announced per https://github.com/AsamK/signal-cli/issues/65 repos owners PGP fingerprint is `FA10826A74907F9EC6BBB7FC2BA2CD21B5B09570` and the key id is `2BA2CD21B5B09570`. Download the pgp public key file from mentioned pgp key server:
```plaintext
torsocks -i gpg --keyserver pgp.mit.edu --recv-keys 0x2BA2CD21B5B09570
```
7. Verify the archive:
```plaintext
gpg --verify /home/amnesia/Persistent/signal-cli-0.13.11.tar.gz.asc /home/amnesia/Persistent/signal-cli-0.13.11.tar.gz
```
<!--**WARNING: It seems to be badly signed, looks likewise https://github.com/AsamK/signal-cli/issues/934**-->
8. Extract the archive:
```plaintext
tar xf signal-cli-0.13.11.tar.gz -C /home/amnesia/Persistent/
```
9. We create a script for running `signal-cli`
<details>
<summary>
Further details
</summary>We need to tell jre to use torsocks' SOCKS proxy and add the signal-cli directory to the path script for running `signal-cli`. Also we need to add libsignal_jni.so to the Java library path
</details>
```plaintext
echo -e '#!/bin/sh\nsudo dpkg -i jdk-21_linux-x64_bin.deb\nexport JAVA_TOOL_OPTIONS="-Djava.net.preferIPv4Stack=true"\nexport PATH="/home/amnesia/Persistent/signal-cli-0.13.11/bin:$PATH"\ntorsocks --shell' | tee -a /home/amnesia/Persistent/signal-cli_tor.sh && chmod a+x /home/amnesia/Persistent/signal-cli_tor.sh
```
## General use of `signal-cli` on Tails ## General use of `signal-cli` on Tails
**(aka steps required every time you want to use `signal-cli`)** **(aka steps required every time you want to use `signal-cli`)**
1. Start your Tails unlocking your persistent storage and setup an administration password, follow section _Set up an administration password_ at https://tails.boum.org/doc/first_steps/welcome_screen/administration_password/. 1. Start your Tails unlocking your persistent storage and setup an administration password, follow section _Set up an administration password_ at https://tails.boum.org/doc/first_steps/welcome_screen/administration_password/.
2. Choose Applications ▸ System Tools ▸ Terminal 2. Choose Applications ▸ System Tools ▸ Terminal
3. _Wait until additional software has been installed successfully_
<!--<details> 4. Run either a torified shell before using `signal-cli` commands:
<summary>
~~DEPRECEATED due to signal-cli >= v.0.11.11 requires libc6 <= 2.34~~
</summary>
3. Run the script for adding signal-cli signing keys to apt:
```plaintext ```plaintext
Persistent/apt-keys.sh torsocks --shell
``` ```
and quit with `Ctrl+D`when you are done with using signal-cli commands.
and _Wait until additional software has been installed successfully_ OR
</details>--> torify all `signal-cli` commands one by one:
<!--5. signal-cli-jre requires at least Java Runtime Environment (JRE) 17.--> ```plaintext
torsocks -i signal-cli
```
4. Start executing the signal-cli script we created in the previous section: ## Remove older installation of this guide
If you have installed signal-cli using an older version of this HowTo guide which instructed you to download and extract binaries from https://github.com/AsamK/signal-cli/releases you can safely remove those files freeing precious space on your Persistent since they are not needed anymore, also java is not needed anymore:
1. Start your Tails unlocking your persistent storage and setup an administration password, follow section _Set up an administration password_ at https://tails.boum.org/doc/first_steps/welcome_screen/administration_password/.
2. Choose Applications ▸ System Tools ▸ Terminal
3. WARNING! This deletes all files which start with `signal-cli` in your Persistent folder. This is safe if you followed previous versions of this HowTo and did not create files with such a naming scheme manually. It does not remove any messages nor account data. Execute:
```plaintext ```plaintext
Persistent/signal-cli_tor.sh rm -r /home/amnesia/Persistent/signal-cli* && rm /home/Persistent/jdk-21_linux-x64_bin.deb
``` ```
6. Now you can run any `signal-cli` command, refer to [man page](https://github.com/AsamK/signal-cli/blob/master/man/signal-cli.1.adoc) for help.
**Replace $PHONE_NR with your phone number using the international format (e. g. +15758941234 for a number registered in Truth or consequences, New Mexico)** **Replace $PHONE_NR with your phone number using the international format (e. g. +15758941234 for a number registered in Truth or consequences, New Mexico)**
... ...
......