From 3a9cee56e6b279c45f2e419e150dd1dd3fab4b80 Mon Sep 17 00:00:00 2001
From: Simon <github@oddlypresent.com>
Date: Thu, 26 Sep 2024 23:11:12 +0300
Subject: [PATCH 1/6] Add environment variable to select storage provider

---
 org.signal.Signal.yaml | 1 +
 signal-desktop.sh      | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/org.signal.Signal.yaml b/org.signal.Signal.yaml
index c5c973d..8bd4016 100644
--- a/org.signal.Signal.yaml
+++ b/org.signal.Signal.yaml
@@ -35,6 +35,7 @@ finish-args:
   # Environment Variables to control the behavior
   - --env=SIGNAL_DISABLE_GPU=0
   - --env=SIGNAL_DISABLE_GPU_SANDBOX=0
+  - --env=SIGNAL_PASSWORD_STORE=basic
   # Use same mouse cursors as host
   - --env=XCURSOR_PATH=/run/host/user-share/icons:/run/host/share/icons
 
diff --git a/signal-desktop.sh b/signal-desktop.sh
index 7ed4459..c0bb1f3 100644
--- a/signal-desktop.sh
+++ b/signal-desktop.sh
@@ -10,6 +10,12 @@ if (( ${SIGNAL_USE_WAYLAND:-0} )); then
     export ELECTRON_OZONE_PLATFORM_HINT="${ELECTRON_OZONE_PLATFORM_HINT:-auto}"
 fi
 
+SIGNAL_PASSWORD_STORE="${SIGNAL_PASSWORD_STORE:-basic}"
+
+EXTRA_ARGS+=(
+    "--password-store=${SIGNAL_PASSWORD_STORE}"
+)
+
 if [[ "${SIGNAL_DISABLE_GPU}" -eq 1 ]]; then
     EXTRA_ARGS+=(
         "--disable-gpu"

From 3a97cb59ec9af02f855c902345e80809c4c9e9c7 Mon Sep 17 00:00:00 2001
From: Simon <github@oddlypresent.com>
Date: Fri, 27 Sep 2024 00:01:36 +0300
Subject: [PATCH 2/6] Simplify password store env variable

---
 signal-desktop.sh | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/signal-desktop.sh b/signal-desktop.sh
index c0bb1f3..926e41d 100644
--- a/signal-desktop.sh
+++ b/signal-desktop.sh
@@ -10,10 +10,8 @@ if (( ${SIGNAL_USE_WAYLAND:-0} )); then
     export ELECTRON_OZONE_PLATFORM_HINT="${ELECTRON_OZONE_PLATFORM_HINT:-auto}"
 fi
 
-SIGNAL_PASSWORD_STORE="${SIGNAL_PASSWORD_STORE:-basic}"
-
-EXTRA_ARGS+=(
-    "--password-store=${SIGNAL_PASSWORD_STORE}"
+EXTRA_ARGS=(
+    "--password-store=${SIGNAL_PASSWORD_STORE:-basic}"
 )
 
 if [[ "${SIGNAL_DISABLE_GPU}" -eq 1 ]]; then

From f565bcb2cb24d78ab3960756041fc2f9c04d7da6 Mon Sep 17 00:00:00 2001
From: Simon <github@oddlypresent.com>
Date: Fri, 27 Sep 2024 00:09:20 +0300
Subject: [PATCH 3/6] Add password store description to readme

---
 README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/README.md b/README.md
index cff2429..5e8e2a7 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,12 @@ You can set the following environment variables:
 - `ELECTRON_OZONE_PLATFORM_HINT=auto`: Enables Wayland support
 - `SIGNAL_DISABLE_GPU=1`: Disables GPU acceleration
 - `SIGNAL_DISABLE_GPU_SANDBOX=1`: Disables GPU sandbox
+- `SIGNAL_PASSWORD_STORE`: Selects where the database key is stored. Valid options are:
+	- `basic` Writes the key in plaintext to config.json. This is the default.
+	- `gnome_libsecret` for X-Cinnamon, Deepin, GNOME, Pantheon, XFCE, UKUI, unity
+	- `kwallet` for kde4
+	- `kwallet5` for kde5
+	- `kwallet6` for kde6
 
 ## Wayland
 

From 5ad89fef9c422ff4aad36405349b57e8540271c7 Mon Sep 17 00:00:00 2001
From: Bernhard Bermeitinger <bernhard.bermeitinger@gmail.com>
Date: Fri, 27 Sep 2024 09:29:40 +0200
Subject: [PATCH 4/6] Validate the password store and print an info when using
 basic

Signed-off-by: Bernhard Bermeitinger <bernhard.bermeitinger@gmail.com>
---
 signal-desktop.sh | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/signal-desktop.sh b/signal-desktop.sh
index 926e41d..934e764 100644
--- a/signal-desktop.sh
+++ b/signal-desktop.sh
@@ -6,13 +6,29 @@ declare -i SIGNAL_DISABLE_GPU="${SIGNAL_DISABLE_GPU:-0}"
 declare -i SIGNAL_DISABLE_GPU_SANDBOX="${SIGNAL_DISABLE_GPU_SANDBOX:-0}"
 
 # only kept for backward compatibility
-if (( ${SIGNAL_USE_WAYLAND:-0} )); then
+if ((${SIGNAL_USE_WAYLAND:-0})); then
     export ELECTRON_OZONE_PLATFORM_HINT="${ELECTRON_OZONE_PLATFORM_HINT:-auto}"
 fi
 
-EXTRA_ARGS=(
-    "--password-store=${SIGNAL_PASSWORD_STORE:-basic}"
-)
+declare -r SIGNAL_PASSWORD_STORE="${SIGNAL_PASSWORD_STORE:-basic}"
+
+case "${SIGNAL_PASSWORD_STORE}" in
+    basic | gnome-libsecret | kwallet | kwallet5 | kwallet6)
+        echo "Debug: Using password store: ${SIGNAL_PASSWORD_STORE}"
+        EXTRA_ARGS=(
+            "--password-store=${SIGNAL_PASSWORD_STORE}"
+        )
+        ;;
+    *)
+        echo "Error: SIGNAL_PASSWORD_STORE (${SIGNAL_PASSWORD_STORE}) must be one of the following: basic, gnome-libsecret, kwallet, kwallet5, kwallet6"
+        exit 1
+        ;;
+esac
+
+if [[ "${SIGNAL_PASSWORD_STORE}" == "basic" ]]; then
+    echo "Info: Using basic password store. The encryption key to the datbase will be stored unencrypted."
+    echo "Info: If you see a database opening error, you should change the environent variable SIGNAL_PASSWORD_STORE to one of the following: gnome-libsecret, kwallet, kwallet5, or kwallet6"
+fi
 
 if [[ "${SIGNAL_DISABLE_GPU}" -eq 1 ]]; then
     EXTRA_ARGS+=(

From c1daacdc13426dc777899733bfe7336bf4eee88a Mon Sep 17 00:00:00 2001
From: bbhtt <bbhtt.zn0i8@slmail.me>
Date: Fri, 27 Sep 2024 10:34:27 +0200
Subject: [PATCH 5/6] Show warning about (lack of) encryption

---
 signal-desktop.sh | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/signal-desktop.sh b/signal-desktop.sh
index 926e41d..ebe8d9e 100644
--- a/signal-desktop.sh
+++ b/signal-desktop.sh
@@ -1,5 +1,30 @@
 #!/bin/bash
 
+report_warning() {
+    read -r -d '|' MESSAGE <<EOF
+Signal is being launched with the <b>plaintext password store</b> by
+default due to database corruption bugs when using the encrypted backends.
+This will leave your keys <b>unencrypted</b> on disk.
+
+If you wish to experiment with the encrypted backend at the risk of
+database corruption, set the environment variable
+<tt>SIGNAL_PASSWORD_STORE</tt> to gnome_libsecret, kwallet,
+kwallet5 or kwallet6 depending on your desktop environment using
+Flatseal.
+
+Press <b>Yes</b> to proceed with <b>plaintext password store</b> or
+<b>No</b> to <b>exit</b>. |
+EOF
+    zenity --question --no-wrap --default-cancel --icon-name=dialog-warning --title "Warning" --text "$MESSAGE"
+
+    if [ "$?" -eq "1" ]; then
+        echo "Debug: Abort as user pressed no"
+        exit 1
+    else
+        touch "${XDG_CACHE_HOME}"/warning-shown
+    fi
+}
+
 EXTRA_ARGS=()
 
 declare -i SIGNAL_DISABLE_GPU="${SIGNAL_DISABLE_GPU:-0}"
@@ -30,4 +55,19 @@ echo "Debug: Will run signal with the following arguments:" "${EXTRA_ARGS[@]}"
 echo "Debug: Additionally, user gave: $*"
 
 export TMPDIR="${XDG_RUNTIME_DIR}/app/${FLATPAK_ID}"
+
+found_basic_pw_store=false
+for value in "${EXTRA_ARGS[@]}"; do
+    if [[ "--password-store=basic" = "$value" ]]; then
+        found_basic_pw_store=true
+        break
+    fi
+done
+
+if "$found_basic_pw_store" && [[ ! -f "${XDG_CACHE_HOME}"/warning-shown ]]; then
+    report_warning
+elif ! "$found_basic_pw_store"; then
+    rm "${XDG_CACHE_HOME}"/warning-shown || true
+fi
+
 exec zypak-wrapper "/app/Signal/signal-desktop" "${EXTRA_ARGS[@]}" "$@"

From cec5685dbf8e803f46ba6095c238fd4e30dbce06 Mon Sep 17 00:00:00 2001
From: Bernhard Bermeitinger <bernhard.bermeitinger@gmail.com>
Date: Fri, 27 Sep 2024 11:07:54 +0200
Subject: [PATCH 6/6] Reword the notification

Signed-off-by: Bernhard Bermeitinger <bernhard.bermeitinger@gmail.com>
---
 signal-desktop.sh | 37 ++++++++++++++-----------------------
 1 file changed, 14 insertions(+), 23 deletions(-)

diff --git a/signal-desktop.sh b/signal-desktop.sh
index 48f8cd1..d3bef7f 100644
--- a/signal-desktop.sh
+++ b/signal-desktop.sh
@@ -4,13 +4,16 @@ report_warning() {
     read -r -d '|' MESSAGE <<EOF
 Signal is being launched with the <b>plaintext password store</b> by
 default due to database corruption bugs when using the encrypted backends.
-This will leave your keys <b>unencrypted</b> on disk.
+This will leave your keys <b>unencrypted</b> on disk as it did in all previous versions.
 
-If you wish to experiment with the encrypted backend at the risk of
-database corruption, set the environment variable
-<tt>SIGNAL_PASSWORD_STORE</tt> to gnome_libsecret, kwallet,
-kwallet5 or kwallet6 depending on your desktop environment using
-Flatseal.
+If you wish to experiment with the encrypted backend, set the environment variable
+<tt>SIGNAL_PASSWORD_STORE</tt> to <tt>gnome_libsecret</tt>, <tt>kwallet</tt>,
+<tt>kwallet5 or <tt>kwallet6</tt> depending on your desktop environment using
+Flatseal or the following command:
+
+<tt>flatpak override --env=SIGNAL_PASSWORD_STORE=gnome-libsecret org.signal.Signal</tt>
+
+Note that the encrypted backends are <b>experimental</b> and may cause data loss on some systems.
 
 Press <b>Yes</b> to proceed with <b>plaintext password store</b> or
 <b>No</b> to <b>exit</b>. |
@@ -51,8 +54,11 @@ case "${SIGNAL_PASSWORD_STORE}" in
 esac
 
 if [[ "${SIGNAL_PASSWORD_STORE}" == "basic" ]]; then
-    echo "Info: Using basic password store. The encryption key to the datbase will be stored unencrypted."
-    echo "Info: If you see a database opening error, you should change the environent variable SIGNAL_PASSWORD_STORE to one of the following: gnome-libsecret, kwallet, kwallet5, or kwallet6"
+    if [[ -f "${XDG_CACHE_HOME}"/warning-shown ]]; then
+        rm "${XDG_CACHE_HOME}"/warning-shown || true
+    else
+        report_warning
+    fi
 fi
 
 if [[ "${SIGNAL_DISABLE_GPU}" -eq 1 ]]; then
@@ -71,19 +77,4 @@ echo "Debug: Will run signal with the following arguments:" "${EXTRA_ARGS[@]}"
 echo "Debug: Additionally, user gave: $*"
 
 export TMPDIR="${XDG_RUNTIME_DIR}/app/${FLATPAK_ID}"
-
-found_basic_pw_store=false
-for value in "${EXTRA_ARGS[@]}"; do
-    if [[ "--password-store=basic" = "$value" ]]; then
-        found_basic_pw_store=true
-        break
-    fi
-done
-
-if "$found_basic_pw_store" && [[ ! -f "${XDG_CACHE_HOME}"/warning-shown ]]; then
-    report_warning
-elif ! "$found_basic_pw_store"; then
-    rm "${XDG_CACHE_HOME}"/warning-shown || true
-fi
-
 exec zypak-wrapper "/app/Signal/signal-desktop" "${EXTRA_ARGS[@]}" "$@"