jmg
/
blog
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The blog.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
107 Commits
1 Branch
4.6 MiB
 
 
 
 
Branch: main
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'main'
${ noResults }
blog/content/2019/04/using-signal-on-server.html

109 lines
4.3 KiB
Raw Permalink Blame History 

  1. ---

  2. title: Using Signal on a server

  3. description: >

  4.   A guide to setting up signal on a machine to run automatic notifications.

  5. posted: !!timestamp '2019-04-08'

  6. created: !!timestamp '2019-04-08'

  7. time: 1:54 PM

  8. tags:

  9.   - signal

  10.   - security

  11. ---

  12. 

  13. For a long while, I'd been using an email to SMS gateway to push

  14. important notifications from my server, such as SMART error messages,

  15. to my phone.  After all the

  16. [NSA warrantless surveillance](https://en.wikipedia.org/wiki/NSA_warrantless_surveillance_(2001%E2%80%932007)),

  17. I made a commitment to encrypt as much of my communications as possible.

  18. When Signal came out, I adopted it because of it's strong encryption and

  19. privacy.  Ever since I've been wanting to use it for notifications from

  20. my server.  I finally got around to trying out the CLI version, and got

  21. it to work.

  22. 

  23. The installation of the command line utility for Signal was more straight

  24. forward than I was expecting.  I decided to use

  25. [signal-cli](https://github.com/AsamK/signal-cli) and I was a bit worried,

  26. as it uses Java.  Java has historically been difficult to run on FreeBSD

  27. due to lack of support and draconian licensing terms.  I was surprised

  28. that the packages for OpenJDK 8 were both present and just worked on my

  29. server.  A simple `pkg install openjdk8` got Java up and running.

  30. 

  31. One thing to note is that the package said that fdesc and proc needed to

  32. be mounted for Java to work, but I did not, and things still worked.

  33. There are likely other parts of Java that may not work w/o those mounted,

  34. but not for Signal.

  35. 

  36. As I have been using OSS for a long time, I like to build things from

  37. source, so I followed the instructions at

  38. [Building signal-cli](https://github.com/AsamK/signal-cli#building) and

  39. got the command built with out any trouble.

  40. 

  41. Once the command was built, the

  42. [Usage guide](https://github.com/AsamK/signal-cli#usage) provided the

  43. basics, but didn't include instructions on how to verify the safety

  44. numbers to ensure that the initial exchange was not MitM'd.  There is a

  45. [man page](https://github.com/AsamK/signal-cli/blob/master/man/signal-cli.1.adoc),

  46. but it requires a2x and separate steps to build, but a little bit of

  47. digging got me the necessary steps (also, it turns out that the adoc

  48. format is a simple text format).

  49. 

  50. With a bit of searching, I found the `listIdentities` and `verify`

  51. commands.  There may have been another way, but because I had sent a

  52. test message, my phone was listed:

  53. ```

  54. $ signal-cli -u +XXXXXXXXXXX listIdentities

  55. +YYYYYYYYYYY: TRUSTED_UNVERIFIED Added: Sat Apr 06 18:43:15 PDT 2019 Fingerprint: ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ  Safety Number: WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW

  56. ```

  57. 

  58. And then I needed to use the `trust` subcommand:

  59. ```

  60. $ signal-cli -u +XXXXXXXXXXX trust -v 'WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW' +YYYYYYYYYYY

  61. ```

  62. 

  63. The hardest part of this was figuring out how to invoke the command upon

  64. reception of an email.  I used an alias listed in `/etc/aliases` to forward

  65. the email to both the SMS gateway and myself.  The issue with trying to

  66. invoke the command from here was that the command was run as the `mailnull`

  67. user, which of course didn't have access to my user's home directory to

  68. read the private key.  After a bit of debating, I remembered I use

  69. `procmail`, and realized this was the best way to send the message.

  70. 

  71. I created a symlink for the command into my user's bin directory, created

  72. a short script called `sendcell`:

  73. ```

  74. $ cat ~/bin/sendcell

  75. #!/bin/sh -

  76. 

  77. ~user/bin/signal-cli -u +XXXXXXXXXXX send +YYYYYYYYYYY

  78. ```

  79. 

  80. and then added a filter to my `.procmailrc` file.  The filter at first

  81. looked like this:

  82. ```

  83. :0Wf

  84. * ^TO_celluser@([^@\.]*\.)*example.com

  85. | sendcell

  86. ```

  87. 

  88. But after the first test, it included all the headers, including all the

  89. `Received` headers, so I updated it to use `formail` to remove all but the

  90. `From`, `Subject` and `Date` (in case the message gets significantly delayed,

  91. I can see by how much) headers:

  92. ```

  93. :0c

  94. * ^TO_celluser@([^@\.]*\.)*example.com

  95. {

  96. :0Wf

  97. | formail -k -X From: -X Subject: -X Date:

  98. 

  99. :0

  100. | sendcell

  101. }

  102. ```

  103. 

  104. and now I get the messages delivered to my phone securely!

  105. 

  106. It is tempting to use this to be able to invoke commands on my server

  107. remotely, but there isn't much I need to do when I don't have my laptop

  108. with me.