Signal Messenger Keyring Issue on Whonix - Electron Safestorage Missing

marcos-morar · March 3, 2025, 12:06pm

Hi,

I’ve run into an issue with Signal Messenger on Whonix that I’d like some input on.

Signal uses Electron Safestorage to securely store its private keys in the local system’s keyring. However, it seems that Electron Safestorage isn’t included by default in Whonix, nor is it listed as a dependency when installing Signal Messenger on the Whonix Workstation.

Because of this, no keyring is generated to store Signal’s private keys securely. Instead, the keys end up being saved in plain text on the local system, which is obviously a security concern. I found that manually installing seahorse pulls in Electron Safestorage as a dependency, and once that’s done, the keyring feature works properly with Signal.

I raised this issue on Signal Messenger’s GitHub repository, but their team responded that this is a Whonix-specific issue, and they can’t address it on their end.

In my opinion, Whonix should either include Electron Safestorage by default in the Workstation or ensure it’s installed as a dependency when Signal Messenger is installed, given how critical this is for secure key storage.

Is there a Whonix Git repository where I can report this issue directly, or will posting it here on the forum be sufficient to get it addressed?

Looking forward to your feedback!

Patrick · March 4, 2025, 3:55pm

First time I hear this.

If unavailable in packages.debian.org, then chances are very bad…

No search results for search term:

“safeStorage” site:Debian.org

This is probably unspecific to Whonix.

Should be applicable to Debian too? Resolvable as per Self Support First Policy for Whonix?

Best to only rely on Full Disk Encryption (FDE) exactly because of issues such as this.

No need to post elsewhere in any Kicksecure / Whonix places.

If it will be addressed, depends on replies here and/or by signal.

I have replied to the ticket just now:

github.com/signalapp/Signal-Desktop

Signal is not creating a keyring password on the Whonix workstation.

opened 10:22AM - 11 Feb 25 UTC

closed 10:27PM - 11 Feb 25 UTC

marcos-morar

### Using a supported version? - [x] I have searched searched open and closed i…ssues for duplicates. - [x] I am using Signal-Desktop as provided by the Signal team, not a 3rd-party package. ### Overall summary Hi! I've tested this bug on over 15 machines, including those of my colleagues and acquaintances, all running the Whonix Workstation. In 9 out of 10 cases, when Signal is newly installed and linked with a primary device, it doesn't prompt to create a keyring password. However, if I install Seahorse on Whonix Workstation and restart Signal, it immediately asks to generate a keyring password. This issue has been occurring since the version where this functionality was introduced. I have explored all other possibilities for this issue, including potential problems with Whonix itself, but it only occurs with Signal and no other app. If it were a Whonix issue, it should affect other apps as well. What I haven't tried is checking it on any other Linux distribution besides Whonix Workstation. Regards! ### Steps to reproduce 1. Install Signal-Desktop on Whonix Workstation 17. 2. Link with the primary device. (Signal will not ask for a keyring password). 3. Install Seahorse on Whonix Workstation 17. 4. Restart Signal. (Signal will immediately prompt to generate a keyring password). ### Expected result Signal should prompt to generate a keyring password on first use after installation. ### Actual result Signal does not prompt to generate a keyring password on first use after installation or linking a device. It only asks to generate a password if Seahorse is installed on the system. ### Screenshots _No response_ ### Signal version 7.41.0 ### Operating system Whonix Workstation 17 ### Version of Signal on your phone _No response_ ### Link to debug log _No response_

Patrick · March 4, 2025, 4:08pm

related, default secret provider backend:

(Whonix is based on Kicksecure)

Kicksecure and therefore by extension Whonix already installs gnome-keyring by default.

Does signal support gnome-keyring or only seahorse or otherwise?

marcos-morar · March 4, 2025, 5:59pm

I’m running Whonix Workstation 17 on Qubes OS.

When I ran sudo apt install seahorse in Whonix Workstation, I got this output:

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  cracklib-runtime gcr gnome-keyring gnome-keyring-pkcs11 libcbor0.8 libcrack2
  libfido2-1 libgcr-ui-3-1 libhandy-1-0 libpam-gnome-keyring
  libpwquality-common libpwquality1 openssh-client p11-kit p11-kit-modules
  pinentry-gnome3 wamerican
Suggested packages:
  keychain libpam-ssh monkeysphere ssh-askpass pinentry-doc
The following NEW packages will be installed:
  cracklib-runtime gcr gnome-keyring gnome-keyring-pkcs11 libcbor0.8 libcrack2
  libfido2-1 libgcr-ui-3-1 libhandy-1-0 libpam-gnome-keyring
  libpwquality-common libpwquality1 openssh-client p11-kit p11-kit-modules
  pinentry-gnome3 seahorse wamerican
0 upgraded, 18 newly installed, 0 to remove and 0 not upgraded.
Need to get 5,717 kB of archives.
After this operation, 28.7 MB of additional disk space will be used.

This shows that gnome-keyring isn’t installed by default. However, I checked for libsecret-1-0, which Signal uses to interface with a keyring backend (i.e., for Electron’s secure storage), and confirmed it’s already installed:

[template workstation user ~]% dpkg -l | grep libsecret
ii  libsecret-1-0:amd64          0.20.5-3        amd64        Secret store
ii  libsecret-common             0.20.5-3         all          Secret store (common files)

Signal requires both libsecret and a running keyring daemon (like GNOME Keyring) to store keys securely. Since libsecret-1-0 is present, the issue seems to be that gnome-keyring is neither installed nor running by default. Without it, Signal can’t utilize libsecret for secure key storage.

In a standard Debian GNOME install, gnome-keyring is typically included, and Signal works out of the box. In Whonix, its absence feels like a deliberate choice for a lean, security-focused system. If Signal depends on a keyring daemon that Whonix doesn’t provide by default, isn’t this a Whonix-specific configuration issue rather than an upstream problem?

marcos-morar · March 4, 2025, 6:10pm

I appreciate the suggestion, but I don’t think Full Disk Encryption (FDE) fully addresses this issue. FDE protects data at rest, which is valuable, but it doesn’t safeguard against runtime threats. A trojan could compromise Whonix Workstation, whether through social engineering, an unpatched zero-day exploit, or another vulnerability, and access Signal’s private keys stored in plain text in local storage. Once the system is unlocked, FDE offers no protection against such an attack. Relying solely on FDE seems insufficient when the absence of a keyring daemon leaves sensitive data exposed in a way that could be mitigated with a more secure default configuration.

Patrick · March 5, 2025, 9:18am

marcos-morar:

Patrick:

Best to only rely on Full Disk Encryption (FDE) exactly because of issues such as this.

I appreciate the suggestion, but I don’t think Full Disk Encryption (FDE) fully addresses this issue. FDE protects data at rest, which is valuable, but it doesn’t safeguard against runtime threats. A trojan could compromise Whonix Workstation, whether through social engineering, an unpatched zero-day exploit, or another vulnerability, and access Signal’s private keys stored in plain text in local storage. Once the system is unlocked, FDE offers no protection against such an attack. Relying solely on FDE seems insufficient when the absence of a keyring daemon leaves sensitive data exposed in a way that could be mitigated with a more secure default configuration.

If Signal can access the secrets through gnome-keyring, so can malware. It’s a bit harder to implement malware that uses the session cookie equivalent of gnome-keyring than just uploading a plain text file but still not very hard. This functionality might even already be available as a module in metasploit or malware somewhere.

It’s not as per Error storing passphrase in keyring (The name org.freedesktop.secrets was not provided by any .service files) - Development - Kicksecure Forums

Will be done in next update:

marcos-morar · March 5, 2025, 10:23am

You are right, but I think it applies more to a targeted attack specifically designed to extract private keys from gnome-keyring. That’s a different scenario compared to a generic trojan that gains system access and stumbles upon private keys stored in plain text as an easy bonus. The added layer of complexity with gnome-keyring at least raises the bar beyond trivial access.

Thanks a lot! Really appreciate it, looking forward to the next update.