
Ask HN: Why doesn't Moxie sign Signal's releases? - rahrahrah
It&#x27;s good practice and obviously the guy is smart and knows this...
======
comboy
If it's distributed using Google play store aren't apks signed by the
developer anyway?

~~~
diggan
Yeah, that is true. But Play is the middle man, not sure the end user could
even verify the apks in any way...

~~~
cpeterso
On Amazon's Android app store, they repack the developer-provided APKs. Any
developer APK signatures would be lost.

------
adricnet
On Android or iOS or did you mean sign a source release ...?

My guess is because of potential friction with reproducible building (for
Android) and this for iOS: [https://github.com/WhisperSystems/Signal-
iOS/issues/1063](https://github.com/WhisperSystems/Signal-iOS/issues/1063)

hth, adric

~~~
rahrahrah
I meant both.

------
hkt
I don't know, but am I right in saying that he is generally in favour of
ephemerality over verifiability? It'd seem odd to do this with definitely
attributable works like software releases, but it is what would make most
sense to me.

~~~
rahrahrah
> he is generally in favour of ephemerality over verifiability

That's not an absolute law in a vacuum. What does "ephemerality" even mean in
the context of the question "how can I verify that the software that's being
pushed to my phone comes from where it says it comes?"

------
cjbprime
Crypto experts don't follow "good practice" for the sake of it; they do things
that would meaningfully improve security.

~~~
rahrahrah
Are you suggesting that signing doesn't meaningfully improve security?

~~~
cjbprime
Yeah, that additional signatures on top of the app store ones don't help
users, who aren't going to check them.

~~~
rahrahrah
When you say "doesn't meaningfully improve security", does "meaningfully" mean
"for the majority of users"? Because I can assure you that for a single user
who does things properly it does improve security.

~~~
cjbprime
Yes. Meaningfully means that the _overall_ state of security is increased. A
single user's actions don't count.

~~~
rahrahrah
Ok so you're giving me an answer about something that I don't care about, the
"overall" state of security. I just care about mine, really. Thanks.

