Replying to Avatar Zapstore

PSA:

If you get an error: "Possibly a malicious file. Aborting installation" it's because it's true. The hash of the file in the nostr event does not match the hash of the downloaded asset.

Two possible reasons:

- The developer modified the release after publishing the nostr event to the Zapstore relay

- There is a server compromise or a man-in-the-middle attack

This is Zapstore protecting you, not trying to annoy you.

In the case of APKs indexed by Zapstore (from Github, for example) this will be mitigated with the new zapstore-cli indexer going live in a few weeks.

If the app was signed by a developer, you need to contact the developer.

I am going to improve the messaging, and add a "reckless mode" for those who want to install or upgrade despite the mismatch.
Avatar
stl1988 7mo ago

In case of Zapstream, I have already written to nostr:nprofile1qqsx8lnrrrw9skpulctgzruxm5y7rzlaw64tcf9qpqww9pt0xvzsfmgprfmhxue69uhhq7tjv9kkjepwve5kzar2v9nzucm0d5hsz9thwden5te0wfjkccte9ejxzmt4wvhxjme0qyvhwumn8ghj7un9d3shjtnndehhyapwwdhkx6tpdshssfnq7m, now waiting for a response. And I know what a hash mismatch is. And I know that Kieran is a trusted signer on Zapstore so I hope he disn't actually release malware.

Reply to this note

Please Login to reply.

Discussion

Avatar
stl1988 7mo ago

*didn't

Avatar
Zapstore 7mo ago

Sure. I get this a lot, that's why I wanted to explain