How do you know? Have you audited the source code of the software?

Have you audited the code for Signal's app? Have you built and installed the app from that audited source?

Asking "have you audited the source" is such a meaningless question when you're not building from source (and auditing the compiler...), which practically nobody, not even HN users, are doing.

Please read Reflections on trusting trust and rethink what your threat model is, and what you consider "secure". https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p7...

At least it's technically possible for Signal. Try getting hold of iMessage's source.

How does one use public key cryptography without some kind of key?

imessage also uses rsa 1024 which is very much within the range practical brute force these days