Do we relly know the server actually does this when you can't run your own Signa...

maqp · 2025-12-15T22:02:15 1765836135

Short answer is no.

Signal provides content-privacy by design with E2EE. Signal provide metadata-privacy by policy, i.e. they choose to not collect data or mine information from it. If you need metadata-privacy by design, you're better off with purpose-built tools like Cwtch, Ricochet Refresh, OnionShare, or perhaps Briar.

master-lincoln · 2025-12-15T20:35:42 1765830942

I thought you could compile from source and run Signal server instances, but there is no federation, so you would need a client that points to your server and you could only talk to other people using that client.

https://github.com/signalapp/Signal-Server

GranPC · 2025-12-15T20:39:14 1765831154

They use remote attestation based on SGX. So, assuming SGX can be trusted, yes. See https://signal.org/blog/private-contact-discovery/

dathinab · 2025-12-15T20:42:32 1765831352

and assuming you have a practical way to

- verify the attestation

- make sure it means the code they have published is the attested code

- make sure the published code does what it should

- and catch any divergence to this *fast enough* to not cause much damage

....

it's without question better then doing nothing

but it's fundamentally not a perfect solution

but it's very unclear if there even is a perfect solution, I would guess due to the characteristics of phone numbers there isn't a perfect solution

mjg59 · 2025-12-16T04:16:55 1765858615

Well, no - as long as someone you trust is able to do that verification, that's good enough.