Hashes are good, but ultimately public/private key cryptography is needed in some form to ensure trust minimized to just signer/dev (holder of private key)
Discussion
Are you saying the initials zap.store download is verified by our nostr keys then?
zap.store does this for you, but you are right that for verifying zap.store itself you need to either trust the domain or verify the hash.
This is why we publish hashes in our nostr profile.
If you already have AppVerifier, that's one way. Or you could do it in the computer. Would be nice to have tutorials for both
That’s why I asked about a website to check as I do not have either(pc or app) to check the hashes.
I'm not against it but you need to trust the website host then.
Ideally we want multiple websites pulling these events. https://zap.store eventually will show this info, and then something like an app in nostrudel "more" could work too