Gets decrypted key from latest Signal desktop app to use with sigtop

signal_get_key.py

#!/usr/bin/env python3

import os
import json

from Crypto.Protocol.KDF import PBKDF2
from Crypto.Hash import SHA1
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

def aes_decrypt_cbc(key, iv, data):
	cipher = AES.new(key, AES.MODE_CBC, iv)
	return cipher.decrypt(data)

password = <PUT HERE YOUR PASSWORD FROM KEYCHAIN>

prefix = b'v10'
salt = 'saltysalt'
derived_key_len = 128 // 8
num_iterations = 1003
iv = b' ' * 16
config_file_path = '~/Library/Application Support/Signal/config.json'

with open(os.path.expanduser(config_file_path), 'r') as f:
	config = json.loads(f.read())
encrypted_key = bytes.fromhex(config['encryptedKey'])
assert encrypted_key.startswith(prefix)
encrypted_key = encrypted_key[len(prefix):]

kek = PBKDF2(password, salt, dkLen = derived_key_len, count = num_iterations, hmac_hash_module = SHA1)
decrypted_key = unpad(aes_decrypt_cbc(kek, iv, encrypted_key), block_size = 16).decode('ascii')
print('0x' + decrypted_key)

The current version unfortunately only with v10 encrypted key, not with v11 which at least Signal Desktop for Linux uses.

@direc85 It was just a PoC I made for sigtop to show how this stuff works. You should check the named repository for new versions.

im getting this error ValueError: Data must be padded to 16 byte boundary in CBC mode

Thank you so much for this gist!! For anyone wondering how to get the password from keychain, this is the command that can be used in your terminal:

security find-generic-password -s "Signal Safe Storage" -a "Signal Key"  -w

(I asked ChatGPT how to retrieve it based on this code: https://github.com/bepaald/signalbackup-tools/blob/master/desktopdatabase/getsecrets_mac.cc)