Nostr Web Client

PSA:

If you get an error: "Possibly a malicious file. Aborting installation" it's because it's true. The hash of the file in the nostr event does not match the hash of the downloaded asset.

Two possible reasons:

- The developer modified the release after publishing the nostr event to the Zapstore relay

- There is a server compromise or a man-in-the-middle attack

This is Zapstore protecting you, not trying to annoy you.

In the case of APKs indexed by Zapstore (from Github, for example) this will be mitigated with the new zapstore-cli indexer going live in a few weeks.

If the app was signed by a developer, you need to contact the developer.

I am going to improve the messaging, and add a "reckless mode" for those who want to install or upgrade despite the mismatch.

Reply to this note

Please Login to reply.

Discussion

FreedomTech 7mo ago

The proprietary apps do this more than others. Makes you wonder who's changing what and why?

Play it safe. Assume worst case scenario of some Anonymous hacker scum or government 3-letter agency injecting malicious code.

Dikaios1517 7mo ago

We usually just want things to work, but sometimes when they don't, they are actually working perfectly fine, just not in the way we expected.

nostr:nevent1qqsr22l8s9k3tt2f9du8jsv5jzevt67xk47m06f5h9c2kluvl45cmegpr9mhxue69uhhwmm59e38y6t8dp6xymmvwshxuet59upzq7xwd748yfjrsu5yuerm56fcn9tntmyv04w95etn0e23xrczvvraqvzqqqqqqyx5tpy3

DireMunchkin 7mo ago

Almost always when I see a hash mismatch it's because of the app having several different APK:s, but Zapstore only ever signs one of them per release.

One I saw recently was Syncthing which has one APK with debugging and one without. I installed the one without debugging from Obtainium and then got warning from Zapstore later that the package doesn't match.

Do you have any plans to fix this? Maybe adding support for multiple binaries per release or something?

Zapstore 7mo ago

Yes. Variants feature

Flatr24 7mo ago

🚨ATTENTION 🚨 👀

#nostr #nostriches #attention #alert #bitcoin #upgrade #download #zapstore #zaps #plebs #amethyst

nostr:nevent1qqsr22l8s9k3tt2f9du8jsv5jzevt67xk47m06f5h9c2kluvl45cmegppemhxue69uhkummn9ekx7mp0qgs83nn04fezvsu89p8xg7axjwye2u67errat3dx2um725fs7qnrqlgrqsqqqqqp042wkr

Gus 7mo ago

Si recibes el error: "Posiblemente un archivo malicioso. Interrumpiendo la instalación", es porque es cierto. El hash del archivo en el evento nostr no coincide con el hash del recurso descargado.

Dos posibles razones:

- El desarrollador modificó la versión después de publicar el evento nostr en el relé de Zapstore.

- Hay una vulnerabilidad del servidor o un ataque de intermediario.

Zapstore te protege, no intenta molestarte.

En el caso de los APK indexados por Zapstore (desde Github, por ejemplo), esto se mitigará con el nuevo indexador de Zapstore-cli, que estará disponible en unas semanas.

Si la aplicación fue firmada por un desarrollador, debes contactarlo.

Voy a mejorar la mensajería y añadir un "modo imprudente" para quienes quieran instalar o actualizar a pesar de la discrepancia.

nostr:nevent1qvzqqqqqqypzq7xwd748yfjrsu5yuerm56fcn9tntmyv04w95etn0e23xrczvvraqqsr22l8s9k3tt2f9du8jsv5jzevt67xk47m06f5h9c2kluvl45cmegtrkdc3

stl1988 7mo ago

In case of Zapstream, I have already written to nostr:nprofile1qqsx8lnrrrw9skpulctgzruxm5y7rzlaw64tcf9qpqww9pt0xvzsfmgprfmhxue69uhhq7tjv9kkjepwve5kzar2v9nzucm0d5hsz9thwden5te0wfjkccte9ejxzmt4wvhxjme0qyvhwumn8ghj7un9d3shjtnndehhyapwwdhkx6tpdshssfnq7m, now waiting for a response. And I know what a hash mismatch is. And I know that Kieran is a trusted signer on Zapstore so I hope he disn't actually release malware.

stl1988 7mo ago

*didn't

Zapstore 7mo ago

Sure. I get this a lot, that's why I wanted to explain

plor 7mo ago

I actually love seeing this for two reasons:

1. It means zapstore is actually checking to protect me from github shenanigans or man-in-the-middle attacks.

2. It makes zapstore look bad to have all this, but there is nothing it can do to polish over it because it is truly decentralized.