MOUNTAIN VIEW, May 15 — The Signal Foundation on Thursday released a coordinated desktop and mobile client update that introduces automatic quarterly rotation of long-term identity keys on every account, the foundation told Consumer Tech Wire, closing what an outside cryptographer described as one of the Signal Protocol’s longest-standing post-compromise recovery gaps.

The Signal Protocol’s session keys — the keys used to encrypt individual messages — already rotate on a per-message basis through the Double Ratchet construction that has defined the protocol since 2013. The longer-lived identity key, which authenticates a user’s device pair across sessions and which underlies the safety-number verification flow that security-conscious users perform manually, has historically rotated only on device reinstallation. That asymmetry meant that a one-time compromise of an identity key — through device seizure, malware, or supply-chain attack — could persist for the lifetime of a user’s installation.

“This is the change the academic literature has been asking Signal to make for at least seven years,” said Asha Lindqvist-Park, a cryptographer at Stanford’s Applied Cryptography Group, in an interview. “The Double Ratchet gives you forward secrecy on message keys, which is excellent. But the long-term identity key was the protocol’s bottleneck on post-compromise recovery. A quarterly rotation cadence is conservative — it’s not the daily rotation some of us would have argued for in a clean-sheet design — but it’s the operationally realistic choice given the safety-number surface.”

What does not change

Signal said the rotation is invisible to users in the most operationally important sense: a safety number a user verified with a contact in 2023 will continue to read as verified after the rotation, because the foundation has designed the cryptographic linkage between successive identity keys to preserve the verification chain. The mechanism is similar in spirit to TLS-style certificate rotation under a stable Common Name, the foundation said, and is built on a hash-chain commitment that is independently auditable from the protocol’s public state.

That design choice is what makes the rollout shippable to a consumer install base, Lindqvist-Park said. A naive identity-key rotation would have generated a torrent of “safety number changed” notifications across every conversation in the user’s history — a user-experience pattern that, historically, has caused Signal users either to verify the new number reflexively without checking it, or to disable the warning entirely. Both outcomes would have eroded the verification flow’s security value.

Rollout

The update ships in the Signal Android 7.42 release and the iOS 7.42 release on Thursday, the foundation said, with the desktop client following on Friday. Identity-key rotation begins on a user’s account at the next client launch following the update and proceeds on a 90-day cadence thereafter. Users who run the foundation’s standalone command-line client, signal-cli, will receive the change in a follow-on release later in May.

Signal said the foundation will publish a full technical write-up of the cryptographic construction on its engineering blog next week, including the formal post-compromise-security argument and a reference to an independent third-party review the foundation commissioned earlier this year.

Ronan Whitfield-Asari reported from San Francisco.