Replying to Avatar a_priori

Yo guys, maybe I'm regarded, but I'd like to try nostr:nprofile1qqs83nn04fezvsu89p8xg7axjwye2u67errat3dx2um725fs7qnrqlgzqtdq0 and it seems daunting. I'm supposed to get AppVerifier first to verify Zapstore. But to get AppVerifier, I'm supposed to get Accrescent first to make sure I'm getting the real AppVerifier. To get Accrescent, I'm supposed to use "apksigner" first to make sure it's the real Accrescent. It looks like I somehow have to get to a terminal on my phone to run the apksigner command and I have no idea how to do that. Do I first need Android SDK on my laptop? Download Accrescent there and check it? Then move it to my phone?

#asknostr

Avatar
Five 1y ago

There is no end to this process whether you do it on mobile or laptop or anything else. You see, no matter how many verification steps you include at the end of the chain you still have _some_ app or package to trust. There is no root of trust in that sense.

The app verifier step is enough because to really validate Zapstore you need to test how it works when installed, and/or rely on others reporting bugs/exploits here. Remember, anyone could have posted a binary that is signed properly with _some_ key but still be malicious.

If you have the source code, can check crucial parts and build it yourself, that is the most you can do but most will rely on some executable already built and the whole open source community to report bad stuff.

Reply to this note

Please Login to reply.

Discussion

No replies yet.