Specify install location?

[mhkeller]

• I have searched open and closed issues for duplicates

---

Is it possible (or could it be) to install Signal Desktop to a custom location, such as an encrypted Veracrypt volume? One use case is when you want to have Signal Desktop on a computer that is managed by a corporate IT team and don't want wherever Signal stores your private key and chats to be available to a user with those permissions.

Other use cases (mostly folks that don't like their chats being stored on disk unencrypted due to sharing of access to the machine with others or folks that want a lock screen / password) are referenced in #1850 #452 #550 #710 #790

If you could tell Signal to install itself and all its files within that volume, that could be a shorter route to addressing this concern.

[jerekarsten]

To work around this lack of undefinable install location, you can unpack the installer.exe with 7zip. Inside the installer package go to $PLUGINSDIR and unpack app-64.7z to a desired location. Then you can run Signal as standalone application by running signal.exe from the unpacked location.

[mhkeller]

Hi @scottnonnenberg-signal, just checking in on this one and letting you know It's still a desirable feature on our end and comes up in discussion pretty frequently when I talk with people about whether Signal Desktop is a workable solution for them.

[scottnonnenberg-signal]

@mhkeller Can you tell me a little bit more about why it's so important to the people you talk to?

[KRtekTM]

Since the Signal desktop app is not able to lock itself by password, I was trying to hide the app on encrypted virtual hard drive.
Thanks to the impossibility to change the default location of Signal desktop app, this way is completely unusuable.

Why?

Even you move the Signal app to the encrypted folder, each installed update is placing Signal app to the default user folder without any notice.

I'm using Signal on daily basis. On Android phone, there is no issue. But this behavior of desktop version makes it very unsecure.

You should implement at least one of mentioned - password to app or possibility to change default location AND KEEP IT AFTER UPDATE.

At least the current approach is very weird and I'm wondering that developers thinks the Windows account security is enough...

[Emaro]

Since I got a partition I use to install all my software, I wouldn't mind an option to specify the install location too.

[jumper444]

Explanation why this issue is important:

1. Signal is a privacy/security application. If it is runable on a person's computer it will load past messages for view and give access to trusted/secure communications. This is not wanted by unapproved people.

2. In its current design, Signal desktop installs in only one place...the standard program location of Windows (and I'm presuming Linux/Mac also).

3. Whole drive encryption is (can be) complex and bring up many problems for most operating systems. There are all kinds of requirements (TPM modules, bootloader compatibilities) and issues (what if the machine crashes or has errors, how do you repair an encrypted system, how do you backup or image an encrypted system with 3rd party tools, etc.)

4. THUS, most people do NOT use 'whole (system) drive' encryption. (But they still want security. More on that in a moment).

5. Therefore, this wonderful, magical, secure, special, encrypted messaging platform of Signal is ENTIRELY OPEN AND ACCESSIBLE to anybody (or authority) who can simply turn on or access a current user's machine. EASY. Just boot it up and run Signal...all messages come up and all communication is possible with all contacts (pretending to be the encrypted/authenticated user). Security forces around the world are happy.

6. SO...putting Signal desktop in that default, unmovable, system location has mostly BROKEN any semblance of security (Android and iOS, of course, DO encrypt their apps and data partitions by default so they don't have the same problem - essentially they have 'full disk encryption'...but that is because they are consumer devices built with this feature on by default (and in hardware!) and without all the hassles and conflicts which come with 30+yr old desktop OS's trying to do the same thing.)

continuing on...

7. In order to avoid the problems with full system encryption on desktop OS machines, users who desire security will take a more practical and easy path...they will created encrypted CONTAINERS (truecrypt, veracrypt) or MOUNTABLE encrypted file systems (partitions), but which are NOT their critical/running 'system' partition.

8. They will then put all their important programs and data in those separate containers and partitions. These will be safely protected when the machine is off and ALSO when the machine is opened/used/inspected by malicious parties (!!!). The machine will still boot up and run and be able to be troubleshot. If the system partition crashes the container or data partition is still separately accessible and unharmed. The encrypted containers and data partitions can also be easily backed up separately from the system which doesn't change as much and isn't as critical. But the key point is that nothing in these containers or partitions is available to a malicious actor simply because they have access to the machine and can TURN IT ON!! Signal, in its current (forced) install and running setup, breaks this.

9. Signal desktop (for all the reasons given above) should: A) allow a CUSTOM install location to be specified (which would then be an encrypted container or partition); and B) the program, generally, should work like a 'portable app' meaning ALL necessary files, executables, reg entries, ini data, resources, etc...are present within that same (custom) install location (and sub directory tree). Thus, the install location is ALL that is necessary for the program to run (and it references all files within its location using relative directory locations based on the starting location of the beginning executable.)

In conclusion those are the reasons Signal's install and running configuration (on windows; likely the other OS's as well since I presume this oversight extends throughout the dev team, no offense intended) should be adjusted to allow custom install location (which would then also fully contain all necessary files in a 'portable' type setup). It is also the reason the current setup is insecure.

Please consider a design change going forward.

[mhkeller]

@scottnonnenberg sorry for the delay. @jumper444 summarizes the reasons that I think this is an important feature to prioritize. I recommend people against using Signal on Desktop in any kind of work or office environment, which for journalists is often the main setting they would use Signal.

Other encrypted chat programs such as Keybase have different operating details that don't expose unencrypted chat data to the filesystem or potentially to administrator users. It would be great if Signal matched this feature.

[scottnonnenberg-signal]

Thanks for the input. I will say that user permissions on a machine are a useful, protective tool, and machine-level encryption in 2019 isn't nearly as difficult as is claimed.

I'm going to lock this issue. If you'd like to continue to discuss, please use the forums.