Which nullifies the point of certificates having an expiration date (limited window for exploiting a compromised certificate, possibility of domains changing hands), not the point of validating the signature (tie responsibility for apps to who owned a domain on a specific date, allow third parties to create blacklists of bad developers).

How? Expiration doesn’t grant an unauthorized party access to the private key.

Another option is to allow otherwise-valid signatures after expiration. It’s generally still possible to check them.

Sure, as long as the probability of the government there taking action against you in the time you’re there is low, why not?

It provides a way to open an investigation into a malicious developer without giving Google the ability to ban anyone it doesn’t like.

Sure, the developer needs to keep the certificate up to date and re-sign the APK on occasion.

It need only check at install time.

It might be a reasonable trade for users to make if Google assumed liability. In fact, that would be an interesting way to implement laws to discourage practices like these.

I’m inclined to think that’s not the job of an OS vendor to prevent. Sure, put a warning label on it, but it’s the user’s device; once they say they know what they’re doing, that should be that.

If Google wanted to add developer verification without being evil, it could use SSL certificates connected to domain names. I think the whole concept is ill-conceived, though I’ll admit to a modest bias against protecting people from themselves.

Is there even a desktop client for Signal?

Yes. There’s also an experimental third-party client for desktop Linux called Flare. I’ve used Flare on some devices that the official client doesn’t support and found it adequate. With some more maturity, I’ll probably prefer it to the official client. Signal officially discourages third-party clients because it cannot guarantee their security but does not attempt to block them except in cases where specific clients are known to be compromised.

Account creation on the mobile app is recommended before using these as it relies on SMS verification. I don’t like that, but it probably cuts down on spam; I’ve received exactly one spam on Signal in over 10 years of use.

The mobile app isn’t on F-droid so I can’t easily install it… Does Signal require Google Play Services to get Firebase messages?

Signal encourages installing from Google Play and uses Firebase messages by default, but does work without them. Given your set of preferences, however, you would probably prefer the third-party client Molly, which is on F-Droid and supports UnifiedPush.

I want a zillion separate self-hosted non-federated servers… something like email addresses in it, that tell the client what server to connect to for a given person.

That sounds like it ends up with properties similar to federation, but the client has to do all the work. The client would also need some means of identifying itself to all those random servers where there’s a cost to creating new identities, or people would need to do key exchange when they exchange contact information. Without that, this proposed system would be overrun by spam as soon as it got popular.

Server-side federation solves a lot of problems. Why wouldn’t you want that?

every computer in the world has Wikipedia on its hard drive for completely private access

You can do that. The download with images is over 100gb compressed, and it expands to several terabytes. It’s not hard to imagine why most people don’t want to use it that way.

So why didn’t [Signal make it easy to connect to alternate servers]?

Encouraging the use of alternate servers on which only a handful of people can communicate instead of everyone who uses Signal is probably a net loss. Having to connect to multiple servers or switch servers to communicate with everyone a user wants to talk to sounds like a pretty bad experience. That would be different if it was federated. Co-founder Moxie Marlinspike has argued that federation would make it harder to achieve Signal’s goals of bringing private communication to as many people as possible. I want him to be wrong about that, but my experiences with Matrix suggest he might not be.

they are in the eyeball monetization business or are gearing up to enter it

I don’t think so, in large part because they’re structured as a nonprofit and have enough funding to last a while. I would think that about a venture-backed startup under similar circumstances.

I don’t use Signal so I don’t understand what is supposed to be great about it

It’s just another messaging app in terms of UX. The value comes from:

• Many of my friends and family use it
• It’s familiar enough and reliable enough that if I ask someone who doesn’t already use it to move a conversation to Signal, I’m confident they won’t be mad at me for complicating their life
• It’s secure by default and difficult for users to accidentally make private information not-private (e.g. by saving media to device storage where other apps can access it without user confirmation)
• Its security and privacy have been inspected by a wider range of experts than most other options
• The organizational structure and funding model means it’s unlikely to be enshittified in the next decade

Nextcloud Talk doesn’t have end to end encryption. It’s experimental on Jitsi. It’s hard to justify not having that for a private messaging service in 2025.

You just get a server URL and click on it in a browser. No app, unlike Signal as far as I know, so if anything it’s simpler.

This is not a good way to make my phone beep promptly when someone sends me an important message or ring when someone initiates a voice/video call. Browser notifications can be significantly delayed, especially on mobile devices. It’s fine for the sort of public group conversations people have on Matrix and IRC, but a dealbreaker for most people in a primary one-to-one telecommunications system.

The analogy between a private messaging service and a bar is not just strained; it’s nonsensical.

It might work for a chat system that’s mainly public and discoverable like Matrix, IRC, or Discord. A community having too many people, or any people who don’t follow certain norms can make it unpleasant. As long as it keeps out spammers, Signal having people I don’t want to talk to on it won’t affect me at all; I just won’t give those people my phone number or username.

I’m bothered mostly by the default Signal app’s inability to use a self-hosted server instead of signal.com’s own server.

I don’t like the centralized nature of it either, but until someone makes a decentralized option that’s polished and reliable enough that nobody will be mad at me after I talk them into using it, Signal will be my go-to for messaging.

Ideologically, I’d like it to be Matrix. I use Matrix on occasion, at least when Element web isn’t taking up 10% of my laptop’s RAM, ElementX isn’t crashing on load, and whatever native desktop client I tried last is actually performing key exchange so I can read my private messages. I would not try to talk someone into trying Matrix right now unless they were ideologically motivated or interested in the technology.

I’m not sure adding a questionable social feature to a messaging app is reasonably comparable to the very long list of insane and/or evil shit Musk has done.

Like any messaging system, Signal’s utility is proportional to its userbase. If stories get more people to use it without making it worse for people who don’t care, then they’re a good idea even if I think everything else about the concept is bad.

I think it’s a silly feature for a messaging app, but it has no impact on me if I ignore the feature.

No doubt many “legitimate” apps, including some of Google’s own are spyware. This claims to be about the sort of malware that steals your bank account login.

I’d even speculate that most of the people involved are working in good faith; they think they’re the good guys and they can be trusted with that kind of power. Nobody should have that kind of power though because it always leads to corruption.

Public pushback on stuff like this does work on occasion. It even worked on Apple when they proposed upload filters for CSAM.

Google’s intent in the short term probably is just about malware, but in the long term it gives them, and governments which can pressure them the ability to ban any app from nearly all Android devices. Once deployed, there’s a near 100% chance of such a mechanism being used for evil.

I didn’t know it can do word suggestions until I read this comment. A web search suggests this functionality is provided by the ibus-typing-booster package; you could uninstall it or look for settings related to it.

Thunar should be able to access MTP devices when the gvfs-backends package is installed.