Signal finally updates public server code after months of silence

Signal finally updates public server code after months of silence

Update 1 (04/09/2021 @ 04:00 PM ET): We now know why the updated source code for Signal’s back-end server software took so long to be released. Click here for more information. The article, as published on , is preserved below.

Signal Private Messenger has been a popular messaging platform for years, thanks to its focus on privacy and end-to-end encryption. The project has released the source code for every component of Signal, including the back-end server and client applications, but the public code for the server software was left outdated for months until just today.

Signal stores as little information as possible on remote servers, but there is still a server component for connecting users with phone numbers, sending push notifications, and other functionality. Signal has provided the source code for the server software on GitHub, making it possible for anyone to set up their own independent infrastructure. However, most people simply choose to use Signal’s platform, since communication between the primary server and self-hosted servers (federation) is not supported.

After April 22 of last year, Signal stopped updating the public code repository for its server software. The move was concerning, given that Signal’s open-source nature made it easier to perform security audits and ensure that the platform wasn’t leaking private data. A GitHub issue about the lack of releases was created last month, following other discussions on Reddit and Signal’s own community forum.

While Signal hasn’t yet made a public statement about the gap in code releases, the project finally published hundreds of commits today to the public GitHub repository. The repository now shows many code commits completed throughout 2020 and 2021, bumping the latest-available server version from 3.21 to 5.48.

It’s still not clear why Signal went so long without updating its public server code, especially when the group has historically prided itself on being open and transparent. We’ve reached out to Signal for a statement, and we’ll update our coverage when/if we get a response.

Signal Private Messenger
Signal Private Messenger

Update 1: Explanation

Signal CEO Moxie Marlinspike has commented on the GitHub issue with an explanation for the delay. He says that the delay is not because the company was trying to hide details of its new privacy-focused payments feature before it launched but was rather mainly aimed at preventing spammers from gleaning the new anti-spam measures the company planned to enact. He further reiterates that the client source code is published with every release, that builds are reproducible, and that Signal is designed not to trust the server regardless, meaning that having access to the server source code is of “no security consequence.” However, he closes by saying that he understands why people may want to look at the server source code for educational purposes or to run their own instances, so he promises the company will “do a better job of pushing changes in more real time.”

Here’s his comment in full:

“First off, sorry the source for one of our services was so far behind. We often don’t push source until we release things, and there were a few overlapping releases that happened in that period which made it awkward to push at any moment and put us behind. Additionally, we’ve seen a large increase in spam, and a reluctance to immediately publish the exact anti-spam measures we were responding with to a place where spammers could immediately see them combined with the above to cause this extreme delay.

As folks in this thread have noted, our client source is always published with each release, the builds are reproducible, and everything is designed not to trust the server anyway. To be very clear for the few tinfoil hatters here (the internet just wouldn’t be the same without you at this point, thank you for your service), we are not under any “gag order,” there is no NSL, and the whole point is that there’s no “malware” we could install on the server.

Even if it’s of no security consequence, we get why server source is useful for people who want to run their own versions of Signal, understand how Signal works, and just generally see how things are built. We’ll do a better job of pushing changes in more real time.

We try not to use GH issues for discussion, so I’m going to close this now, but hit us up on the forums.”

About author

Corbin Davenport
Corbin Davenport

Corbin is a tech journalist and software developer based in Raleigh, North Carolina. He's also written for Android Police and PC Gamer. Get in touch with him at [email protected]