Context

  • I use Debian.
  • I need to run multiple instances of Signal Desktop on my laptop
  • I prefer to run these apps through flatpak for security reasons
  • I want them all to use Tor to connect to the internet, to reduce the risk of giving my IP address to everyone

I use the terminal in this howto.

As we use signal desktop, we need a smartphone to connect signal-desktop to the Signal account. We will not cover that part here.

Keep in mind that the link with the Signal account will be lost after 7 days of inactivity.

Big picture

We will install the app as a flatpak system app, and create as many “launchers” for this app as we want, each with its own name, homefolder, and a unique Tor circuit.

Threat model, security plan, basic thoughts

There are tons of resources out there about threat modeling. https://ssd.eff.org, https://securityinabox.org, and many others.

A quick reminder could be that whatever the tools we choose, whatever how we configure these tools, computers will never be safe. There will always be flaws, security issues, bugs. As activists or survivors using technology to communicate, we can only reduce the risks, and think about what we really have to hide, from whom, up to what cost can we go, what our ennemies could do against us, what are they ready to pay for that goal, and what happens if we fail. When these become clearer, we are able to make better choices.

That was just a reminder :) if you’re here, you probably know what you’re doing.

Install flatpak and configure it

Enter quoted commands in a terminal.

Do not enter these commands in a Root Terminal, but in a regular one.

The next commands will install flatpak, the flatpak plugin for Gnome Software, tor, and torsocks on the system. You may remove tor and torsocks if you don’t plan to use Tor. This command may ask for the user password.

sudo apt update
sudo apt install flatpak gnome-software-plugin-flatpak tor torsocks

The flatpak plugin for Gnome Software is useful to have automatic flatpak packages upgrades. Without it, one must run flatpak update regularly.


On some systems without sudo these will fail with “sudo: command not found”, in that case, first use su:

su
apt update
apt install flatpak gnome-software-plugin-flatpak tor torsocks
exit

Next command sets where flatpak may find apps (we use the official repository): You may prepend torsocks to the command, if you don’t want the flatpak servers to record your IP address. Make sure you are sending the next commands in a user terminal (the prompt ends with dollar sign, not with a caret)

flatpak remote-add --system --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

(this command may ask you for the user or admin password)

Install signal-desktop

This will install signal-desktop through flatpak, as a “system flatpak” (meaning it’s available for all users on the machine, but of course the app contents are not shared across users): You may prepend torsocks to the command, if you don’t want the flatpak servers to record your IP address.

flatpak install --system org.signal.Signal

(this command may ask you for the user or admin password)

This command will then ask for confirmations, press ‘y’ to confirm when it asks.

Copy the desktop file to override the original

Desktop Files are launchers: when we start an application from the Applications Menu or the Activity View in Gnome, it will do what is set in the corresponding Desktop File.

We need to copy the Desktop File generated by flatpak to a higher priority place, so modifications we add to our file will have precedence over flatpak’s:

cp /var/lib/flatpak/exports/share/applications/org.signal.Signal.desktop ~/.local/share/applications/

Edit the Desktop file

In the next steps, the terminal is not needed so it can be closed.

  • Open Files, the GNOME File browser
  • In the “Hamburger menu” (the three horizontal dashes on the top right corner of the window), check “Show Hidden Files”
  • In the Home folder, enter the folder named “.local”
  • Enter “share”, then “applications”
  • In the “Hamburger menu”, uncheck “Show Hidden Files”
  • Right-click “org.signal.Signal.desktop” → “Open with other application”
    • Click on “View All Applications”
    • Select “Text Editor”
    • Click the blue “Select” button

The file is now opened in Gedit, a text editor.

The lines of interest are the ones starting with:

  • Name=: Here we can enter what we want. For exemple “Signal for oestrogenes trafic” or “Signal: family eeesh” or “i love signal for activism”
  • Exec=: Here is how the app is started and where we add parameters

You should not rename the ‘org.signal.Signal.desktop’ file, or Signal will appear twice in the applications list. Just keep it for your first instance. The Name= and Exec= fields can be changed.

The Exec= line sets how Signal will be started. We have to add our modifications into that line, just after the first Equal sign (=). Before our modifications, the line should look like this:

Exec=/usr/bin/flatpak run --branch=stable --arch=x86_64 --command=signal-desktop --file-forwarding org.signal.Signal @@u %U @@

As said before, we will add stuff just after Exec=.

Let’s build the block we want to add (we will add it to the file after):

  1. It will start with env (mind the trailing space)
  2. Then we have to specify where Signal will store its data. In this exemple, we will use HOME=.local/signal1. That means the Signal started through this Desktop File will store its data in a folder called signal1 inside .local in our Home Folder.
    • If you don’t understand much of it, just use .local/signal1 for the first Signal, .local/signal2 for the second, etc.
    • Our block now looks like:
    env HOME=.local/signal1
  3. If you want Signal to use Tor, add this to the block: 
    HTTP_PROXY=socks://signal1:signal1@127.0.0.1:9050 HTTPS_PROXY=socks://signal1:signal1@127.0.0.1:9050
    • For the second Signal instance, replace signal1 with signal2, etc
    • The block now looks like this:
    env HOME=.local/signal1 HTTP_PROXY=socks://signal1:signal1@127.0.0.1:9050 HTTPS_PROXY=socks://signal1:signal1@127.0.0.1:9050
    • Keep in mind that there are space characters before HOME=, HTTP_PROXY= and HTTPS_PROXY=.

Now, we add this block in the Exec= line, just after the Equal sign. So the full line looks like this:

Exec=env HOME=.local/signal1 HTTP_PROXY=socks://signal1:signal1@127.0.0.1:9050 HTTPS_PROXY=socks://signal1:signal1@127.0.0.1:9050 /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=signal-desktop --file-forwarding org.signal.Signal @@u %U @@

Save the file, exit the editor, and in a few seconds or minutes it should appear in the applications list!

Do it again

When your first Signal instance works, you may copy that org.signal.Signal.desktop file to signal2.desktop or signal-canada.desktop or anything with no special chars that ends with .desktop in the same folder (~/.local/share/applications/) and edit it to make it use a different homefolder and Name=.

Last notes

  • We tested that when set to use Tor and tor is stopped, Signal is not able to communicate with its servers
  • We tested that when set to use Tor with a firewall blocking non-tor connections, Signal was working properly
  • Signal-Desktop uses a lot of RAM (400Mb here), it may slow down the computer quite a bit if many applications are open or if it has little RAM
  • In each instance folder (ie. HOME=.local/signal-alarmphone-collective), there will be different folders created by flatpak and signal. The only important one (signal config and messages) is in .var/org.signal.Signal. It can be backed-up or copied to a fresh flatpak signal instance and should work right away
  • Using Signal for different contextual identities all on the same device might not be the wisest thing to do. When risks are high, better use Tails and install Signal-Desktop on it

Appendix for Nheko and Element

Nheko

Nheko is a nice Matrix client for desktop.

To use multiple instances, instead of using a HOME= block one has to use the -p flag, that is to be added in the Exec= line, just before @@u:

  • The first Nheko instance should have -p default, otherwise it will run the last started instance
  • Each other instance must have a unique -p profilename (no special chars)

Element

Element is the official Matrix client, but is a little bit heavier than Nheko.

To use multiple Flatpak Element instances, use the same howto but instead of adding HTTP_PROXY= and HTTPS_PROXY= blocks to use Tor, we have to add --proxy-server=socks5://127.0.0.1:9050 before @@u in the Exec= line.