From 787eaee6a01287e55dd4ea8ff7a4eab558db4c32 Mon Sep 17 00:00:00 2001
From: Michelle Tang <mtang@signal.org>
Date: Fri, 27 Mar 2026 16:18:07 -0400
Subject: [PATCH] Bump to libsignal v0.90.0

Co-authored-by: Andrew <andrew@signal.org>
---
 .../dependencies/KeyTransparencyApi.kt        | 18 ++----------
 .../securesms/jobs/CheckKeyTransparencyJob.kt | 29 +++++++------------
 .../verify/VerifySafetyNumberRepository.kt    | 24 +++++++--------
 gradle/libs.versions.toml                     |  2 +-
 gradle/verification-metadata.xml              | 28 +++++++-----------
 5 files changed, 35 insertions(+), 66 deletions(-)

diff --git a/app/src/main/java/org/thoughtcrime/securesms/dependencies/KeyTransparencyApi.kt b/app/src/main/java/org/thoughtcrime/securesms/dependencies/KeyTransparencyApi.kt
index 0f99154983..23ff43a303 100644
--- a/app/src/main/java/org/thoughtcrime/securesms/dependencies/KeyTransparencyApi.kt
+++ b/app/src/main/java/org/thoughtcrime/securesms/dependencies/KeyTransparencyApi.kt
@@ -1,7 +1,7 @@
 package org.thoughtcrime.securesms.dependencies
 
 import org.signal.libsignal.keytrans.KeyTransparencyException
-import org.signal.libsignal.net.KeyTransparency
+import org.signal.libsignal.net.KeyTransparency.CheckMode
 import org.signal.libsignal.net.RequestResult
 import org.signal.libsignal.net.getOrError
 import org.signal.libsignal.protocol.IdentityKey
@@ -14,21 +14,9 @@ import org.whispersystems.signalservice.api.websocket.SignalWebSocket
  */
 class KeyTransparencyApi(private val unauthWebSocket: SignalWebSocket.UnauthenticatedWebSocket) {
 
-  /**
-   * Uses KT to verify recipient. This is an unauthenticated and should only be called the first time KT is being requested for this recipient.
-   */
-  suspend fun search(aci: ServiceId.Aci, aciIdentityKey: IdentityKey, e164: String?, unidentifiedAccessKey: ByteArray?, usernameHash: ByteArray?, keyTransparencyStore: KeyTransparencyStore): RequestResult<Unit, KeyTransparencyException> {
+  suspend fun check(checkMode: CheckMode, aci: ServiceId.Aci, aciIdentityKey: IdentityKey, e164: String?, unidentifiedAccessKey: ByteArray?, usernameHash: ByteArray?, keyTransparencyStore: KeyTransparencyStore): RequestResult<Unit, KeyTransparencyException> {
     return unauthWebSocket.runCatchingWithUnauthChatConnection { chatConnection ->
-      chatConnection.keyTransparencyClient().search(aci, aciIdentityKey, e164, unidentifiedAccessKey, usernameHash, keyTransparencyStore)
-    }.getOrError()
-  }
-
-  /**
-   * Monitors KT to verify recipient. This is an unauthenticated and should only be called following a successful [search].
-   */
-  suspend fun monitor(monitorMode: KeyTransparency.MonitorMode, aci: ServiceId.Aci, aciIdentityKey: IdentityKey, e164: String?, unidentifiedAccessKey: ByteArray?, usernameHash: ByteArray?, keyTransparencyStore: KeyTransparencyStore): RequestResult<Unit, KeyTransparencyException> {
-    return unauthWebSocket.runCatchingWithUnauthChatConnection { chatConnection ->
-      chatConnection.keyTransparencyClient().monitor(monitorMode, aci, aciIdentityKey, e164, unidentifiedAccessKey, usernameHash, keyTransparencyStore)
+      chatConnection.keyTransparencyClient().check(checkMode, aci, aciIdentityKey, e164, unidentifiedAccessKey, usernameHash, keyTransparencyStore)
     }.getOrError()
   }
 }
diff --git a/app/src/main/java/org/thoughtcrime/securesms/jobs/CheckKeyTransparencyJob.kt b/app/src/main/java/org/thoughtcrime/securesms/jobs/CheckKeyTransparencyJob.kt
index b4a0121ede..78998695e0 100644
--- a/app/src/main/java/org/thoughtcrime/securesms/jobs/CheckKeyTransparencyJob.kt
+++ b/app/src/main/java/org/thoughtcrime/securesms/jobs/CheckKeyTransparencyJob.kt
@@ -1,7 +1,7 @@
 package org.thoughtcrime.securesms.jobs
 
 import org.signal.core.util.logging.Log
-import org.signal.libsignal.net.KeyTransparency
+import org.signal.libsignal.net.KeyTransparency.CheckMode
 import org.signal.libsignal.net.RequestResult
 import org.signal.libsignal.usernames.Username
 import org.thoughtcrime.securesms.crypto.ProfileKeyUtil
@@ -110,25 +110,16 @@ class CheckKeyTransparencyJob private constructor(
     SignalStore.misc.lastKeyTransparencyTime = System.currentTimeMillis()
 
     val recipient = SignalDatabase.recipients.getRecord(Recipient.self().id)
-    val aciIdentityKey = SignalStore.account.aciIdentityKey.publicKey
-    val aci = recipient.aci!!.libSignalAci
 
-    val (e164, unidentifiedAccessKey) = if (SignalStore.phoneNumberPrivacy.phoneNumberDiscoverabilityMode == PhoneNumberDiscoverabilityMode.DISCOVERABLE) {
-      Pair(recipient.e164!!, ProfileKeyUtil.profileKeyOrNull(recipient.profileKey).let { UnidentifiedAccess.deriveAccessKeyFrom(it) })
-    } else {
-      Pair(null, null)
-    }
-
-    val usernameHash = SignalStore.account.username?.let { Username(it).hash }
-    val firstSearch = recipient.keyTransparencyData == null
-
-    val result = if (firstSearch) {
-      Log.i(TAG, "First search in key transparency")
-      SignalNetwork.keyTransparency.search(aci, aciIdentityKey, e164, unidentifiedAccessKey, usernameHash, KeyTransparencyStore)
-    } else {
-      Log.i(TAG, "Monitoring search in key transparency")
-      SignalNetwork.keyTransparency.monitor(KeyTransparency.MonitorMode.SELF, aci, aciIdentityKey, e164, unidentifiedAccessKey, usernameHash, KeyTransparencyStore)
-    }
+    val result = SignalNetwork.keyTransparency.check(
+      checkMode = CheckMode.Self(isE164Discoverable = SignalStore.phoneNumberPrivacy.phoneNumberDiscoverabilityMode == PhoneNumberDiscoverabilityMode.DISCOVERABLE),
+      aci = recipient.aci!!.libSignalAci,
+      aciIdentityKey = SignalStore.account.aciIdentityKey.publicKey,
+      e164 = recipient.e164!!,
+      unidentifiedAccessKey = ProfileKeyUtil.profileKeyOrNull(recipient.profileKey).let { UnidentifiedAccess.deriveAccessKeyFrom(it) },
+      usernameHash = SignalStore.account.username?.let { Username(it).hash },
+      keyTransparencyStore = KeyTransparencyStore
+    )
 
     Log.i(TAG, "Key transparency complete, result: $result")
     return when (result) {
diff --git a/app/src/main/java/org/thoughtcrime/securesms/verify/VerifySafetyNumberRepository.kt b/app/src/main/java/org/thoughtcrime/securesms/verify/VerifySafetyNumberRepository.kt
index 9fbdc5722a..41e5408726 100644
--- a/app/src/main/java/org/thoughtcrime/securesms/verify/VerifySafetyNumberRepository.kt
+++ b/app/src/main/java/org/thoughtcrime/securesms/verify/VerifySafetyNumberRepository.kt
@@ -1,7 +1,7 @@
 package org.thoughtcrime.securesms.verify
 
 import org.signal.core.util.logging.Log
-import org.signal.libsignal.net.KeyTransparency
+import org.signal.libsignal.net.KeyTransparency.CheckMode
 import org.signal.libsignal.net.RequestResult
 import org.thoughtcrime.securesms.crypto.ProfileKeyUtil
 import org.thoughtcrime.securesms.database.model.KeyTransparencyStore
@@ -19,7 +19,7 @@ object VerifySafetyNumberRepository {
   private val TAG = Log.tag(VerifySafetyNumberRepository::class.java)
 
   /**
-   * Given a recipient will try to verify via search (first time) or monitor (subsequent).
+   * Given a recipient will try to verify via key transparency.
    */
   suspend fun verifyAutomatically(recipient: Recipient): VerifyResult {
     val profileKey = ProfileKeyUtil.profileKeyOrNull(recipient.profileKey)
@@ -31,18 +31,16 @@ object VerifySafetyNumberRepository {
     }
 
     val aciIdentityKey = identityRecord.get().identityKey
-    val aci = recipient.requireAci().libSignalAci
-    val e164 = recipient.requireE164()
-    val unidentifiedAccessKey = profileKey.let { UnidentifiedAccess.deriveAccessKeyFrom(it) }
-    val firstSearch = recipient.keyTransparencyData == null
 
-    val result = if (firstSearch) {
-      Log.i(TAG, "First search in key transparency")
-      SignalNetwork.keyTransparency.search(aci, aciIdentityKey, e164, unidentifiedAccessKey, usernameHash = null, KeyTransparencyStore)
-    } else {
-      Log.i(TAG, "Monitoring search in key transparency")
-      SignalNetwork.keyTransparency.monitor(KeyTransparency.MonitorMode.OTHER, aci, aciIdentityKey, e164, unidentifiedAccessKey, usernameHash = null, KeyTransparencyStore)
-    }
+    val result = SignalNetwork.keyTransparency.check(
+      checkMode = CheckMode.Contact,
+      aci = recipient.requireAci().libSignalAci,
+      aciIdentityKey = aciIdentityKey,
+      e164 = recipient.requireE164(),
+      unidentifiedAccessKey = profileKey.let { UnidentifiedAccess.deriveAccessKeyFrom(it) },
+      usernameHash = null,
+      keyTransparencyStore = KeyTransparencyStore
+    )
 
     Log.i(TAG, "Key transparency complete, result: $result")
     return when (result) {
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 69b166ed6d..b81cda10a1 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -27,7 +27,7 @@ androidx-navigation3-core = "1.0.0"
 androidx-core-telecom = "1.0.1"
 androidx-window = "1.3.0"
 glide = "4.15.1"
-libsignal-client = "0.89.2"
+libsignal-client = "0.90.0"
 mp4parser = "1.9.39"
 accompanist = "0.28.0"
 nanohttpd = "2.3.1"
diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
index c6f72028e9..5b732e15fa 100644
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
@@ -16820,28 +16820,20 @@ https://docs.gradle.org/current/userguide/dependency_verification.html
             <sha256 value="57b3cf8f247f1990211110734a7d1af413db145c8f17eb1b2cdc9b9321188c2b" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.signal" name="libsignal-android" version="0.88.3">
-         <artifact name="libsignal-android-0.88.3.aar">
-            <sha256 value="093b49beb4503b064a8d2dcbe2731f3399722f4d7992fcb49d3c18eaf0e444a3" origin="Generated by Gradle"/>
+      <component group="org.signal" name="libsignal-android" version="0.90.0">
+         <artifact name="libsignal-android-0.90.0.aar">
+            <sha256 value="cb77013d3cc812d19960ced2c708133e89ef677ed5fb63cd94fbffbb4b0539c2" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="libsignal-android-0.88.3.module">
-            <sha256 value="b1bbd15c1aaa21815a5b2b45ddc890cbbf9cb5826040cd545d9185506ff4dce9" origin="Generated by Gradle"/>
+         <artifact name="libsignal-android-0.90.0.module">
+            <sha256 value="7936de7cea312851f505b90cb50414c5638f22b3dea554e08b3e823a21e8365e" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.signal" name="libsignal-android" version="0.89.2">
-         <artifact name="libsignal-android-0.89.2.aar">
-            <sha256 value="9246fc871a92e0d45fc88d5100b650c4cf9820c0605143a9cd3de1f7bb63244a" origin="Generated by Gradle"/>
+      <component group="org.signal" name="libsignal-client" version="0.90.0">
+         <artifact name="libsignal-client-0.90.0.jar">
+            <sha256 value="ab7d32ff1b417858feb66baab02185be5cd196247e5db88180d08e6623044260" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="libsignal-android-0.89.2.module">
-            <sha256 value="30dbc41fe03f8df4dabf7a41406c2e60ed2dd798a993fb832eb1c52f4a29d417" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
-      <component group="org.signal" name="libsignal-client" version="0.89.2">
-         <artifact name="libsignal-client-0.89.2.jar">
-            <sha256 value="c9570c3d41b7e7f65432d10d6674992707c8ec3c2e16754be257735126fd9176" origin="Generated by Gradle"/>
-         </artifact>
-         <artifact name="libsignal-client-0.89.2.module">
-            <sha256 value="82532b37ce6c0d3907dc521c9cccecddb0a25b6aa33352834e0f3589cfdf5628" origin="Generated by Gradle"/>
+         <artifact name="libsignal-client-0.90.0.module">
+            <sha256 value="54ece76f2c6d8b9012cd81a51f4dfedc727fa66755264743f2eaaf5af7ea0760" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="org.signal" name="ringrtc-android" version="2.67.0">