jmg
/
blog
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The blog.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
43 Commits
1 Branch
4.6 MiB
 
 
 
 
Tree: 9fa1c261aa
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9fa1c261aa'
${ noResults }
blog/content/2019/04/using-signal-on-server.html

107 lines
4.2 KiB
Raw Blame History 

  1. ---

  2. title: Using Signal on a server

  3. description: >

  4.   Using Signal on a server

  5. created: !!timestamp '2019-04-08'

  6. time: 1:54 PM

  7. tags:

  8.   - signal

  9. ---

  10. 

  11. For a long while, I'd been using an email to SMS gateway to push

  12. important notifications from my server, such as SMART error messages,

  13. to my phone.  After all the

  14. [NSA warrantless surveillance](https://en.wikipedia.org/wiki/NSA_warrantless_surveillance_(2001%E2%80%932007)),

  15. I made a commitment to encrypt as much of my communications as possible.

  16. When Signal came out, I adopted it because of it's strong encryption and

  17. privacy.  Ever since I've been wanting to use it for notifications from

  18. my server.  I finally got around to trying out the CLI version, and got

  19. it to work.

  20. 

  21. The installation of the command line utility for Signal was more straight

  22. forward than I was expecting.  I decided to use

  23. [signal-cli](https://github.com/AsamK/signal-cli) and I was a bit worried,

  24. as it uses Java.  Java has historically been difficult to run on FreeBSD

  25. due to lack of support and draconian licensing terms.  I was surprised

  26. that the packages for OpenJDK 8 were both present and just worked on my

  27. server.  A simple `pkg install openjdk8` got Java up and running.

  28. 

  29. One thing to note is that the package said that fdesc and proc needed to

  30. be mounted for Java to work, but I did not, and things still worked.

  31. There are likely other parts of Java that may not work w/o those mounted,

  32. but not for Signal.

  33. 

  34. As I have been using OSS for a long time, I like to build things from

  35. source, so I followed the instructions at

  36. [Building signal-cli](https://github.com/AsamK/signal-cli#building) and

  37. got the command built with out any trouble.

  38. 

  39. Once the command was built, the

  40. [Usage guide](https://github.com/AsamK/signal-cli#usage) provided the

  41. basics, but didn't include instructions on how to verify the safety

  42. numbers to ensure that the initial exchange was not MitM'd.  There is a

  43. [man page](https://github.com/AsamK/signal-cli/blob/master/man/signal-cli.1.adoc),

  44. but it requires a2x and separate steps to build, but a little bit of

  45. digging got me the necessary steps (also, it turns out that the adoc

  46. format is a simple text format).

  47. 

  48. With a bit of searching, I found the `listIdentities` and `verify`

  49. commands.  There may have been another way, but because I had sent a

  50. test message, my phone was listed:

  51. ```

  52. $ signal-cli -u +XXXXXXXXXXX listIdentities

  53. +YYYYYYYYYYY: TRUSTED_UNVERIFIED Added: Sat Apr 06 18:43:15 PDT 2019 Fingerprint: ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ  Safety Number: WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW

  54. ```

  55. 

  56. And then I needed to use the `trust` subcommand:

  57. ```

  58. $ signal-cli -u +XXXXXXXXXXX trust -v 'WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW WWWWW' +YYYYYYYYYYY

  59. ```

  60. 

  61. The hardest part of this was figuring out how to invoke the command upon

  62. reception of an email.  I used an alias listed in `/etc/aliases` to forward

  63. the email to both the SMS gateway and myself.  The issue with trying to

  64. invoke the command from here was that the command was run as the `mailnull`

  65. user, which of course didn't have access to my user's home directory to

  66. read the private key.  After a bit of debating, I remembered I use

  67. `procmail`, and realized this was the best way to send the message.

  68. 

  69. I created a symlink for the command into my user's bin directory, created

  70. a short script called `sendcell`:

  71. ```

  72. $ cat ~/bin/sendcell

  73. #!/bin/sh -

  74. 

  75. ~user/bin/signal-cli -u +XXXXXXXXXXX send +YYYYYYYYYYY

  76. ```

  77. 

  78. and then added a filter to my `.procmailrc` file.  The filter at first

  79. looked like this:

  80. ```

  81. :0Wf

  82. * ^TO_celluser@([^@\.]*\.)*example.com

  83. | sendcell

  84. ```

  85. 

  86. But after the first test, it included all the headers, including all the

  87. `Received` headers, so I updated it to use `formail` to remove all but the

  88. `From`, `Subject` and `Date` (in case the message gets significantly delayed,

  89. I can see by how much) headers:

  90. ```

  91. :0c

  92. * ^TO_celluser@([^@\.]*\.)*example.com

  93. {

  94. :0Wf

  95. | formail -k -X From: -X Subject: -X Date:

  96. 

  97. :0

  98. | sendcell

  99. }

  100. ```

  101. 

  102. and now I get the messages delivered to my phone securely!

  103. 

  104. It is tempting to use this to be able to invoke commands on my server

  105. remotely, but there isn't much I need to do when I don't have my laptop

  106. with me.