The scariest part of this recent news is that TM Signal seem(ed) to be interoperable. People using TM Signal could interact with actual Signal users, and the conversations could be archived.
Is there a way to verify/ enforce users in a group are using the official Signal client?
At the moment you can’t. The only realistic way I could see that happening is if the servers would check the app’s digital signature and refuse the app from communicating with the official infrastructure if it didn’t match.
Which would be absolutely disgusting given that Signal’s official app lacks some basic functionality!
Even then, nothing stops the client from lying to the server.
That’s the point of digitally signing the app, to ensure its authenticity and integrity. TM and others wouldn’t be able to resign the modified app with the Signal Foundation signature.
EDIT: Yeah after thinking more about it it’s not a trivial problem, as you need to assume that the endpoint is inherently untrusted.
It’s actually possible in a way:
https://en.m.wikipedia.org/wiki/SafetyNet
But you necessarily need to limit the devices and operating systems that are allowed. No custom ROMs, no root access, etc.
It’s bullshit and breaks open computing as a concept.
Fuck Safetynet and Play Integrity.