jmg
/
blog
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The blog.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
56 Commits
1 Branch
4.6 MiB
 
 
 
 
Tree: 010c825a8d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '010c825a8d'
${ noResults }
blog/content/2019/04/using-signal-on-server.html

108 lines
4.3 KiB
Raw Blame History 

  1. ---

  2. title: Using Signal on a server

  3. description: >

  4.   A guide to setting up signal on a machine to run automatic notifications.

  5. created: !!timestamp '2019-04-08'

  6. time: 1:54 PM

  7. tags:

  8.   - signal

  9.   - security

  10. ---

  11. 

  12. For a long while, I'd been using an email to SMS gateway to push

  13. important notifications from my server, such as SMART error messages,

  14. to my phone.  After all the

  15. [NSA warrantless surveillance](https://en.wikipedia.org/wiki/NSA_warrantless_surveillance_(2001%E2%80%932007)),

  16. I made a commitment to encrypt as much of my communications as possible.

  17. When Signal came out, I adopted it because of it's strong encryption and

  18. privacy.  Ever since I've been wanting to use it for notifications from

  19. my server.  I finally got around to trying out the CLI version, and got

  20. it to work.

  21. 

  22. The installation of the command line utility for Signal was more straight

  23. forward than I was expecting.  I decided to use

  24. [signal-cli](https://github.com/AsamK/signal-cli) and I was a bit worried,

  25. as it uses Java.  Java has historically been difficult to run on FreeBSD

  26. due to lack of support and draconian licensing terms.  I was surprised

  27. that the packages for OpenJDK 8 were both present and just worked on my

  28. server.  A simple `pkg install openjdk8` got Java up and running.

  29. 

  30. One thing to note is that the package said that fdesc and proc needed to

  31. be mounted for Java to work, but I did not, and things still worked.

  32. There are likely other parts of Java that may not work w/o those mounted,

  33. but not for Signal.

  34. 

  35. As I have been using OSS for a long time, I like to build things from

  36. source, so I followed the instructions at

  37. [Building signal-cli](https://github.com/AsamK/signal-cli#building) and

  38. got the command built with out any trouble.

  39. 

  40. Once the command was built, the

  41. [Usage guide](https://github.com/AsamK/signal-cli#usage) provided the

  42. basics, but didn't include instructions on how to verify the safety

  43. numbers to ensure that the initial exchange was not MitM'd.  There is a

  44. [man page](https://github.com/AsamK/signal-cli/blob/master/man/signal-cli.1.adoc),

  45. but it requires a2x and separate steps to build, but a little bit of

  46. digging got me the necessary steps (also, it turns out that the adoc

  47. format is a simple text format).

  48. 

  49. With a bit of searching, I found the `listIdentities` and `verify`

  50. commands.  There may have been another way, but because I had sent a

  51. test message, my phone was listed:

  52. ```

  53. $ signal-cli -u +XXXXXXXXXXX listIdentities

  54. +YYYYYYYYYYY: TRUSTED_UNVERIFIED Added: Sat Apr 06 18:43:15 PDT 2019 Fingerprint: ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ  Safety Number: WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW

  55. ```

  56. 

  57. And then I needed to use the `trust` subcommand:

  58. ```

  59. $ signal-cli -u +XXXXXXXXXXX trust -v 'WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW' +YYYYYYYYYYY

  60. ```

  61. 

  62. The hardest part of this was figuring out how to invoke the command upon

  63. reception of an email.  I used an alias listed in `/etc/aliases` to forward

  64. the email to both the SMS gateway and myself.  The issue with trying to

  65. invoke the command from here was that the command was run as the `mailnull`

  66. user, which of course didn't have access to my user's home directory to

  67. read the private key.  After a bit of debating, I remembered I use

  68. `procmail`, and realized this was the best way to send the message.

  69. 

  70. I created a symlink for the command into my user's bin directory, created

  71. a short script called `sendcell`:

  72. ```

  73. $ cat ~/bin/sendcell

  74. #!/bin/sh -

  75. 

  76. ~user/bin/signal-cli -u +XXXXXXXXXXX send +YYYYYYYYYYY

  77. ```

  78. 

  79. and then added a filter to my `.procmailrc` file.  The filter at first

  80. looked like this:

  81. ```

  82. :0Wf

  83. * ^TO_celluser@([^@\.]*\.)*example.com

  84. | sendcell

  85. ```

  86. 

  87. But after the first test, it included all the headers, including all the

  88. `Received` headers, so I updated it to use `formail` to remove all but the

  89. `From`, `Subject` and `Date` (in case the message gets significantly delayed,

  90. I can see by how much) headers:

  91. ```

  92. :0c

  93. * ^TO_celluser@([^@\.]*\.)*example.com

  94. {

  95. :0Wf

  96. | formail -k -X From: -X Subject: -X Date:

  97. 

  98. :0

  99. | sendcell

  100. }

  101. ```

  102. 

  103. and now I get the messages delivered to my phone securely!

  104. 

  105. It is tempting to use this to be able to invoke commands on my server

  106. remotely, but there isn't much I need to do when I don't have my laptop

  107. with me.