Replying to Avatar Zapstore

PSA:

If you get an error: "Possibly a malicious file. Aborting installation" it's because it's true. The hash of the file in the nostr event does not match the hash of the downloaded asset.

Two possible reasons:

- The developer modified the release after publishing the nostr event to the Zapstore relay

- There is a server compromise or a man-in-the-middle attack

This is Zapstore protecting you, not trying to annoy you.

In the case of APKs indexed by Zapstore (from Github, for example) this will be mitigated with the new zapstore-cli indexer going live in a few weeks.

If the app was signed by a developer, you need to contact the developer.

I am going to improve the messaging, and add a "reckless mode" for those who want to install or upgrade despite the mismatch.
Avatar
plor 7mo ago

I actually love seeing this for two reasons:

1. It means zapstore is actually checking to protect me from github shenanigans or man-in-the-middle attacks.

2. It makes zapstore look bad to have all this, but there is nothing it can do to polish over it because it is truly decentralized.

Reply to this note

Please Login to reply.

Discussion

No replies yet.