Nice!
However, unless you need Accrescent for something else, why not verify the Zapstore cert directly? The cert hash is in our profile
Btw that is exactly what AppVerifier does but through a UI
While I didn't build my own CPU from raw silicon, I did verify instead of trusting. I went a few levels deep.
First, I downloaded and installed Android SDK on my laptop.
Then, I used apksigner to check the signatures on accrescent[.]apk
Then I moved the .apk to my phone and installed.
I used Accrescent to install AppVerifier.
I used AppVerifier to verify the .apk for nostr:nprofile1qqs83nn04fezvsu89p8xg7axjwye2u67errat3dx2um725fs7qnrqlgzqtdq0
Always remember, it is best to double check the certificate hash from a different source than where you are getting the .apk. For example, if you got the file from zapstore.dev you should crosscheck their Nostr account and make sure it is the same there. While it is always possible someone could compromise both, it is less likely.
The result:
Discussion
No replies yet.