
Standalone Signal Desktop - rouma7
https://signal.org/blog/standalone-signal-desktop/
======
nikisweeting
Why no web app? Moxie closed [https://github.com/WhisperSystems/Signal-
Desktop/issues/723](https://github.com/WhisperSystems/Signal-
Desktop/issues/723) without giving any reasoning. Can someone link me to a
blog post that explains why Signal is refusing to release a web version?

I cannot run another Electron app on my computer, I simply do not have the RAM
left. Signal as a web-app would allow me to put it inside of Franz or Rambox,
where all my other chat services live.

Right now Signal is the only chat service that I cannot run in Rambox or a
browser.

All the other major chat services provide a web-app that can run in a browser:

\- messenger \- whatsapp \- wechat \- hangouts \- skype \- zulip

These apps all have web versions for good reason, a website is the most
versatile, portable way to share an application with users who's devices you
cant support individually. If a user's chrome extension gets hacked a steals
their messages that's their fault, it should be the choice of the user whether
they run the app in an insecure environment. After all, you're relying on them
to not have keyloggers or rootkits on their computers that run the desktop
app.

I don't see any reasoning for Signal to not follow WhatsApp's model and
release a web-app that links to your phone.

~~~
kijiki
In-browser e2e encryption is vulnerable to targeted attacks on specific
individuals.

The service (either intentionally or by virtue of being hacked) can serve up
Javascript crypto code that either uploads plaintext, or subtly backdoors the
crypto so it can be decrypted. And they can do this to just a single user, so
unless you audit the Javascript every single time you load the page, you'd
never know.

A signed app is more secure, because a backdoor would have to be distributed
to everyone, greatly increasing the chances of it being discovered.

~~~
swsieber
A signed app is only more secure if they load absolutely no code remotely,
otherwise they open up the same channels of attack.

That said, at least they have the option of closing that hole with the
electron app.

~~~
JepZ
Actually, an electron app is very close to the security model of a browser.
The fact that they do not load code intentionally, does not solve the problem
that electron is able to execute injected javascript.

~~~
baby
you get rid of any CSRF from the get go.

------
smcleod
Other than the memory usage - these are problems I've encountered thus far:

    
    
      - It said it was 'Importing contacts and messages' when I signed in without first prompting me if that was OK.
      - Importing contacts and messages failed.
      - Manually importing contacts fails.
      - Conversations show up, but each message just shows as an error.
      - Deleting a conversation doesn't delete it, it just makes it as read.
      - Messages marked as read randomly reappear as unread.
      - Incorrect unread message count next to conversations list.
      - Messages often don't arrive at all, seems at random.
      - The application loses it's 'link' to your account seemingly at random upon launch and needs to be relinked.
      - Appears to use an outdated version of electron with published security vulnerabilities.

~~~
aluhut
Not a single of those happened to me. Are you sure there is nothing wrong with
your PC?

It uses 130MB RAM here (Win). How much is it on your side?

~~~
72deluxe
Call me old, but how can a messaging app like this use 130MB RAM? I am
exasperated that Skype on my machine is using 109MB with only one conversation
window open.

We seemed to get by with MSN Messenger with far less RAM, and the features
were pretty much identical.

It boggles the mind how memory-intensive some of the modern apps are. It's
insane.

~~~
andrepd
I get what you're saying and I totally agree with the sentiment, but in this
case I can let it slide. It's the only practical way to make a cross platform
app for Linux, Windows and Mac. They simply don't have the resources to write
and maintain (at least) three desktop apps. I can totally understand that a
small company has to make compromises like writing their desktop apps in
Electron.

That large companies also do this is another story entirely.

~~~
OldSchoolJohnny
I disagree completely, a single page application can be used on any of those
platforms in browser and doesn't require Electron at all.

~~~
yebyen
Is that really improvement if you need to run a browser to run the app? I
guess most of us have the browser open all the time anyway, so adding an
Electron app is just one more thing, but I know that Chrome on my machine
soaks up a lot more than 130MB ...

I've got a lot of tabs open right now and I'm not sure how to read the memory
usage in Chrome's task manager, but Chrome appears to claim to be using about
450MB just for the browser, plus some additional amount for each tab I have
open.

~~~
nine_k
How often do you even close the browser?

------
lewisl9029
Any reason why there's not more support for the Progressive Web Apps standard
on desktop browsers [1]?

It seems to me that many Electron apps these days are super-thin wrappers
around a web app that don't actually need the full desktop access offered by
Electron (things like local filesystem access, multi-process execution, multi-
window management, arbitrary node APIs, etc).

They just need a way for users to "install" the app so that it 1) has a
separate shortcut and appears in a separate window from the browser, 2) can
send notifications through the native notifications stack, and use a fallback
on systems where one isn't available, 3) is available for use offline.

The Progressive Web Apps spec has answers to all of these problems, and it
would vastly improve the resource usage model compared to Electron because
each PWA would share the same browser runtime as the user's browser of choice,
which is more likely than not running 24/7 anyways.

Security-minded apps like Signal might need more guarantees such as asset
verification and version pinning on install, but surely those could be added
to the spec, as they would be beneficial for other Progressive Web Apps as
well.

I know PWA was designed with mobile apps in mind originally, but it'd be a
shame to limit it to that use case, as there is clearly a lot of demand for
building desktop apps with web technologies, and PWA sounds like an excellent
alternative to the current status quo that's dominated by Electron.

[1] [https://developer.mozilla.org/en-
US/Apps/Progressive](https://developer.mozilla.org/en-US/Apps/Progressive)

~~~
captainmuon
It's coming, at least for Edge on Windows. If you add appropriate meta tags,
your app will even automatically appear in the windows store.

The web platform is a really great example of backwards compatibility - it has
to, because people wouldn't tolerate breaking changes to websites. Browsers
(and Electron) have made a lot of progress in the last years, but now I think
this platform is very capable and you can get a lot done without waiting for a
new feature. This makes something like Electron a good candidate to ship with
the OS. Remove the burden of updates from the individual vendors, and use a
lot less disk space and memory because there is only one runtime.

I don't see installable Electron any time soon, but interestingly Edge might
fulfill that role on Windows (if it is compatible and PWAs are powerful enough
to replace most electron apps).

~~~
Vinnl
That's the main reason, I think: the PWA is getting there, but only just now.
Discovery (mostly on mobile) and integration (on desktop) is still relatively
lacking. Once those are fixed, I'm guessing it will slowly be getting more
uptake.

------
tmikaeld
Another 205MB Electron App to the collection, at least it's 50MB smaller than
Wire.

~~~
amedvednikov
eul is a light (4 MB) native desktop client for all popular messengers:

[https://eul.im](https://eul.im)

Signal support is coming later this year. Right now it supports Slack, Skype,
Facebook, and Gmail.

~~~
dilap
native in that it's not a web-app, sure, but it sure doesn't feel like a
native citizen on the mac.

window can't be resized, standard menus are missing, standard keyboard
shortcuts for text fields don't work, conversion text can't be selected, no
way to cut or copy text (tho paste does seem to work).

is it implementing its own ui toolkit? qt maybe?

~~~
amedvednikov
These are valid observations.

Right now the focus is on features and performance, but the app is going to be
polished before the 1.0 release to have a more native feel: native
notifications, shortcuts, textfields, etc.

~~~
dilap
cool, good to hear. with enough dedication and an eye for ui detail, i believe
it is possible to make a custom-widget app feel like a good citizen -- the
unity editor is a good example of this, imo. it's a ton of work tho!

(actually, i'm not sure if it's possible to make your app friendly to screen
readers w/o using native widgets. maybe?)

if you do pull it off, you'll end up with a great ui toolkit for go. that
would be a very interesting thing!

~~~
mwcampbell
Non-native widgets can certainly be accessible with screen readers and other
assistive technologies. But it's a lot of work. You'll need to implement the
UI Automation provider API for Windows, AT-SPI for desktop Linux, and the
Cocoa accessibility API for Mac. And you probably won't get any of them right
the first time. So I think it would have been better not to create a custom
toolkit.

~~~
dilap
It's a huge task, sure, but someone needs to take on huge tasks from time to
time (and Go does not currently have any good UI toolkit story). :-)

------
kome
Signal Desktop is not really standalone, because you still need to pair it
with your phone. And the phone should be turned on.

I am _very_ privacy conscious, and I don't use a smartphone, at all, because
it's basically a spying device in your pocket.

Why Signal is all about privacy and then it forces me to pair it with a
telephone?

Telegram desktop is really standalone. They require a telephone number too
(and that's _very_ annoying), but they don't require having a smartphone or
keeping your phone open. My phone number on telegram is not even my phone
number anymore, and it doesn't make any difference... Privacy wise is far from
being perfect, but it's already better. At least it's usable.

~~~
mfwoods
Signal Desktop works without having your phone turned on. It acts like a full,
independent client after linking it to your smartphone app (unlike WhatsApp,
which does require your phone to be turned on).

~~~
kome
wow, sorry. my bad.

So I guess there is a way to use signal without having a phone nowadays!
That's a great news!

I will try right now.

~~~
mfwoods
You still need a phone with a registered Signal on iOS or Android initially to
activate the desktop version (sorry if that wasn't clear), but you can turn
your phone off after.

Edit: It actually has the option to register without smartphone, but it's only
enabled in the debug versions.

~~~
ofek
Where can you get the debug version? I can't find it.

~~~
mfwoods
You can build it yourself from source. While it's true that the debug version
uses different servers, the functionality is there and can probably be enabled
in a production build with little modifications.

This might get you started: [https://github.com/WhisperSystems/Signal-
Desktop/blob/d1f7f5...](https://github.com/WhisperSystems/Signal-
Desktop/blob/d1f7f5ee8c1111c2b12a2870c64a830ca0f4fd04/js/views/app_view.js#L90)

------
unicornporn
I so wish more people discovered Matrix or [https://riot.im](https://riot.im).

To me it's simpler and works better than Signal while being decentralized and
federated. It has excellent clients for all platforms (and these keep measages
in sync with each other) and does not require a phone number.

~~~
terraforming
Matrix is fantastic. However, riot desktop sucks in my opinion. Yet again, an
electron app. You say that matrix "has excellent clients for all platforms".
That is simply not true at this time. For linux, there's pretty much only 1
client that's currently usable, and that is riot (electron app).

There's a fantastic one in the works, qmatrixclient (quaternion:
[https://github.com/QMatrixClient/Quaternion](https://github.com/QMatrixClient/Quaternion)),
but it doesn't support E2EE yet.

~~~
Sir_Cmpwn
There is a Weechat plugin.

[https://github.com/torhve/weechat-matrix-protocol-
script](https://github.com/torhve/weechat-matrix-protocol-script)

------
dbrgn
Does it still store all data unencrypted on the disk?
[https://github.com/WhisperSystems/Signal-
Desktop/issues/1017](https://github.com/WhisperSystems/Signal-
Desktop/issues/1017)

~~~
enraged_camel
Wow, reading that thread basically made me decide against using Signal.

For an app that is supposed to be the pinnacle of secure messaging, leaving
_anything_ unencrypted on the local device is just breathtakingly negligent.

The way moxie ushers people to take the discussion elsewhere doesn't help
either. It just reinforces the perception that he doesn't care.

~~~
darklajid
As someone that doesn't care at all about Signal (I'm in the "no federation &
mobile number as ID is unappealing and I can just as well use WhatsApp" camp)
I came away with the opposite opinion:

The people in the report (not necessary the original submitter, the "Now I'll
go and tell everyone to uninstall Signal! There you have it!" crowd) seemed to
be demanding/whining and spammed a bug tracker with random anecdotes and their
personal agendas in a rather rude way.

Whereas moxie - again, in my opinion - replied in a very friendly, objective
and calm manner and invited these people to discuss the issue further. In the
_right place_ for an open debate about design decisions.

~~~
laresistance
Then again, you can't expect Signal's target users (normal tech un-savvy
people) to have FDE. But that's not necessarily bad in my book. IIRC Signal's
security model wasn't aiming for maximizing security but instead making mass-
surveillance harder to execute while offering an acceptable UX.

------
jsnar
Using Electron is a bad idea: it's not secure. Electron has many security
vulnerabilities. The latest version is still based on old Chromium (58 & 59)
so it inherits many of the security vulnerabilities published in Chromium 60,
61 and 62

~~~
orange8
what do you suggest they should they use instead

~~~
polpo
They could use NW.js instead, which stays up-to-date with the latest Chromium
version, including security updates. They usually release on the same day as
Chromium. [https://nwjs.io/blog/](https://nwjs.io/blog/)

~~~
baby
This is interesting, I feel like NW.js has lost the war against Electron, but
I haven't closely been following the topic. Can anyone summarize the latest
common opinion on the subject?

~~~
polpo
There was a period in late 2014-early 2015 where NW.js stagnated, but since
then it's been very actively developed. I found this 2016 comparison pretty
even-handed and comprehensive; it'd be nice to see an updated version for
2017. [http://tangiblejs.com/posts/nw-js-and-electron-
compared-2016...](http://tangiblejs.com/posts/nw-js-and-electron-
compared-2016-edition)

------
openfuture
I want to say "finally!" but they're deprecating the chrome extension so now
my chromebook won't be connected anymore but at least I'll be able to get rid
of chromium on my desktop.

Guess you can never please everyone.

But in all seriousness thank you for the great work, this is excellent news!

~~~
BHSPitMonkey
Deprecating doesn't necessarily mean you can't keep using what's already
there. Even if it's removed from the store you should still be able to run it
locally.

~~~
rrix2
Not if Chromium removes support for packaged apps:
[https://blog.chromium.org/2016/08/from-chrome-apps-to-
web.ht...](https://blog.chromium.org/2016/08/from-chrome-apps-to-web.html)

~~~
mastax
> All types of Chrome apps will remain supported and maintained on Chrome OS
> for the foreseeable future.

------
verbify
It's ludicrous that you need javascript enabled to download a secure messaging
app.

~~~
mfwoods
For those that don't want to enable Javascript, these are the hidden Linux
instructions:

    
    
      $ curl -s https://updates.signal.org/desktop/apt/keys.asc | sudo apt-key add -
      $ echo "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main" | sudo tee -a /etc/apt/sources.list.d/signal-xenial.list
      $ sudo apt update && sudo apt install signal-desktop

~~~
frabbit
How are we supposed to verify keys.asc?

(To be a bit more explicit: searching for either the pub (57F6FB06) or
sub(0E46390F) keys on hkps.pool.sks-keyservers.net returns no result)

~~~
mfwoods
Just because it's on a keyserver doesn't mean it's trustworthy. Keyservers do
no verification of any kind on the keys they host.

If you(r system) trust the certificate that
[https://updates.signal.org/](https://updates.signal.org/) is using, you
should be confident that you are getting the correct keys.

(You shouldn't trust a stranger on the internet, but I am getting the same
keys when I download them.)

------
mrmondo
Was happy to see this as it was the only reason I had Chromium on my machine -
launched it and right off the bat it uses 350MB of memory!

Inspecting the app, it appears to be just another Javascript app (Electron).

------
noja
> Linux distributions supporting APT, like Ubuntu or Debian

Oh come on guys. Don't forget Fedora. Fedora means SELinux. SELinux means you
are getting the people who value security.

~~~
daxorid
I think you underestimate the number of people whose first post-installation
task is setenforce 0

~~~
mrmondo
[https://stopdisablingselinux.com/](https://stopdisablingselinux.com/)

------
etiam
Support post for how to migrate: [https://support.signal.org/hc/en-
us/articles/115002502511-Ho...](https://support.signal.org/hc/en-
us/articles/115002502511-How-do-I-migrate-messages-to-the-new-Signal-Desktop-)

------
asdojasdosadsa
A lot of people have given negative feedback(because of electron?). I for one,
am happy for this. I am in the middle of migrating slowly to Mozilla Firefox
from Google Chrome, and one of the hardest things, is to have some of the apps
as standalone. I couldn't use my MacBook for anything else if I wanted to chat
using signal (..and have chrome running in the background).

Maybe that's just me, but it's good news!

~~~
JshWright
It's not "standalone" though... It's moving from being a Chrome extension to
simply bundling an entire instance of Chromium that only it gets to use.

So, you're migrating from Firefox to multiple instances of Chrome...

~~~
StavrosK
I don't understand why it can't be served as a web app, like WhatsApp Web is
:(

------
csomar
Privacy. Privacy. Privacy. Bla, bla, bla... Now we are going to ask for your
phone number.

Am I the only one who thinks this defeats the whole point?

~~~
elago
No. Signals okay for a drop in replacement for a phones built-in text
messaging app (unfortunately really few of my contacts are using it) but once
I'm on a laptop/PC there are way better messaging apps imo.

Signal feels slightly like the pigs in Animal Farm getting everyone riled up
against the unjust farmers, only to take their place.

------
xwvvvvwx
Signal is fantastic. Huge thanks to the team for their efforts.

Really happy to have it as a standalone app outside of Chrome now.

------
laretluval
It's still insane and confusing that you need a phone number to use Signal.
It's almost as if they want to make it hard to be anonymous.

~~~
Foxboron
Signal provides privacy, not anonymity. It's a hard trade off sometimes, but
it's easier for wider adoption.

~~~
laretluval
It's hard to imagine how requiring a phone number makes adoption wider.

------
nullc
More "security" software that blindly accepts effectively unaudible binary
updates from a third party.

------
iwalsh
What does this mean for ChromeOS users? Will Signal be maintained for ChromeOS
or will those users no longer be able to use Signal?

~~~
Zhenya
Seems to be a discussion here:
[https://whispersystems.discoursehosting.net/t/signal-
desktop...](https://whispersystems.discoursehosting.net/t/signal-desktop-no-
more-signal-on-chromebooks/1362)

------
BlackjackCF
Finally! Here's to hoping the desktop client outperforms the Chrome extension.

------
captn3m0
Published to AUR:

\- [https://aur.archlinux.org/packages/signal-desktop-
beta/](https://aur.archlinux.org/packages/signal-desktop-beta/)

\- [https://aur.archlinux.org/packages/signal-desktop-
bin/](https://aur.archlinux.org/packages/signal-desktop-bin/)

------
tomc1985
Not more Electron garbage!

~~~
whostolemyhat
Not more comments complaining about Electron!

~~~
tomc1985
Not more lemmings defending Electron!

------
touart
Is there a web version available? web.whatsapp.com come in handy if you don't
like electron apps.

------
j7ake
Does signal do search for text as well as a way to view all images exchanged
within a chat ? The only way I found was to scroll up while keeping my eyes
focused on certain key words or images. Not a pleasant experience.

~~~
unhammer
work in progress, non-trivial on phone at least:
[https://github.com/WhisperSystems/Signal-
Android/issues/1232...](https://github.com/WhisperSystems/Signal-
Android/issues/1232#issuecomment-299583255)

------
andyjh
No proxy support, so I can't use it in my corporate environment.

[https://github.com/WhisperSystems/Signal-
Desktop/issues/1632](https://github.com/WhisperSystems/Signal-
Desktop/issues/1632)

Also a bit annoying that it can't be run in the background, at least on
Windows.

[https://whispersystems.discoursehosting.net/t/new-desktop-
ap...](https://whispersystems.discoursehosting.net/t/new-desktop-app-run-in-
background/1368)

------
kethinov
Another Electron app, another thread full of people complaining about
Electron.

The solution is to build a common Electron runtime that all Electron apps can
use. But it seems nobody is working on it despite all the complaints.[1]

I really don't understand why there isn't anybody working it. If that got
implemented, it would put a swift end to the biggest complaints about
Electron.

[1]
[https://github.com/electron/electron/issues/673](https://github.com/electron/electron/issues/673)

~~~
mynewtb
Do you mean a web browser?

~~~
kethinov
The web browser for UI drawing is only part of what Electron does. It also
bundles Node.js and all its APIs, which web browsers don't ship. And Electron
also provides APIs for native OS integration, e.g. native macOS menus and
whatnot.

~~~
pjmlp
Hence web widgets on native UIs.

------
geokon
The weird thing that isn't supported is Signal on 2 Android devices. I tried
to install in on my tablet, but if I put in my phone number it blocks the app
on my phone... bewildering..

Kinda the Wechat model

------
teekert
Great! But it found back some old groups with the same logo as a new group
(what a pain if someone changes their phone, but I understand it is for
security reasons), took me some tries to find what is what. It's doesn't sync
back my older messages apparently, again, probably for security reasons. I was
also unable to delete the old groups although they were long deleted from my
phone, they popped up there again. After deleting them on my phone, they still
remain on the desktop.

------
fiatjaf
"If you’ve never used Signal Desktop before, this is a great chance to start.
Download the app, pair it with your phone, and experience private messaging
with all ten fingers."

So it is not _really_ standalone. You still need a phone. This is still a
geeky version of WhatsApp.

In fact, why would I want to use this instead of WhatsApp if they're basically
using the same encryption features and I have to trust the same people (who
assert that)?

(I don't use WhatsApp, I think it is the worst mankind nightmare.)

~~~
aluhut
You need to pair it once with your phone for installation.

~~~
rabidrat
I don't have a phone that can install the app. So I can't use it.

------
JshWright
So now rather than being able to use my existing browser runtime with the
Chrome extension version, I get to run yet another browser runtime that only
runs Signal...

Yay...

------
drudru11
How does whisper system make money?

~~~
24gttghh
>As an Open Source project supported by grants and donations [...]There are no
ads, no affiliate marketers[...]

From the bottom of the main page on their website. I removed the marketing
copy.

------
teekert
Why an apt package for Debian derivatives only, where they could have opted
for a snap and supported a lot more distros:
[https://snapcraft.io/](https://snapcraft.io/)

I'm very happy with it nonetheless!!

~~~
petre
Or an appimage [https://appimage.org/](https://appimage.org/).

------
Dowwie
can't I just be able to freely remove and add contacts? I'm not asking for
much

------
davexunit
I can't tell from the page if the client can be run without using any nonfree
software. Does anyone know? The Android application unfortunately requires
nonfree components.

------
mtgx
I see that you still can't drag and drop an image on the new desktop app. It's
not a huge issue but it's quite an inconvenience.

------
Igor_kh
Guys, have you heard about checksums? Do you really want me to download and
install that bulky zip/exe on my laptop ?

------
flareback
I was ready to get excited, I installed the app and one contact showed up.
Looks like it only works between signal users.

------
JoeCoder_
No option to minimize to system tray? So I have to have a Signal App taking up
room in my taskbar all the time.

------
nickpp
Can we please stop calling Webapps that come with the whole browser desktop
apps? The fact that you give me to install a dedicated browser for your web
app does not magically make it desktop app. It makes it a worse web app, which
does not even share the browser runtime with other web apps.

Desktop apps are supposed to be: native code, well integrated in the OS, still
working when the net is down and using system widgets and OS look&feel.

~~~
fron
> Desktop apps are supposed to be: native code

That excludes every single .NET application.

> well integrated in the OS

Don't even know what you mean by this.

> still working when the net is down

Not necessarily, a "native" app for Signal still wouldn't work if the net was
down.

> and using system widgets and OS look&feel

I guess that excludes pretty much anything built with Qt.

~~~
raarts
Well call me picky, but I find electron apps to be super wasteful and gobbling
up memory like there's no tomorrow.

Sure I can understand the reasons behind it, it's JavaScript, programmers for
that are abundant, is multi platform because web, but still. If you look at
the functionality offered versus the resources used it's just ridiculous.

I'd like to see a graph of code/memory used vs unused in such binaries.

~~~
fron
I completely agree that most of them are extreme memory hogs. I was just
pointing out that the previous commenter's definition of a desktop application
made almost no sense to me.

------
tclover
yay another electron app

------
petre
Still requires pairing with my phone, thus not _standalone_.

Thank you but I'll just keep using Wire on the desktop and Signal + Wire on
mobile. Too bad, because the mobile version is really good.

------
MattSteelblade
I'm thrilled, it now finally works over 443.

------
biostasis
Design is somehow looking related to Telegram...

~~~
RickS
And nearly indistinguishable from iMessage on OSX.

Chrysler shouldn't make their tires square just because Ford was first to the
circle.

I'm happy they're not burning cycles reinventing the wheel.

