Replying to invisibull

"There is no spoon"

I was able to set up a new GrapheneOS for a family member without ever touching droidify or obtanium.

First step, download nostr:nprofile1qqs83nn04fezvsu89p8xg7axjwye2u67errat3dx2um725fs7qnrqlgpz9mhxue69uhkummnw3ezuamfdejj7rn7acz APK directly from their github repo (use Vanadium for this).

Once zapstore is installed you literally never ever have the need for Obtanium again.

Avatar
Matt 1d ago

My main issue with Zapstore is the number of apps that are signed by Zapstore rather than the developer. It seems to me that you're relying on a single person and key to sign a lot of critical apps (Bitwarden, etc). Where Obtainium at least spreads the risk out (or it seems to anyway). Maybe it has the same problems and I'm mistaken somewhere. nostr:npub10r8xl2njyepcw2zwv3a6dyufj4e4ajx86hz6v4ehu4gnpupxxp7stjt2p8

Either way, I tried Zapstore and just used it for apps like Amber that are signed by the Dev to make myself feel better. I ultimately gave up because Zapstore kept trying to update every app with no way of excluding the ones I didn't want it touching.

Reply to this note

Please Login to reply.

Discussion

16
invisibull 1d ago

nostr:nprofile1qqs0agvxc2jx0rdugdmsfmkjzcyyd698s8jlk9c9d6dmxvuyp4daauspz9mhxue69uhkummnw3ezumrpdejz7qgmwaehxw309a6xsetxdaex2um59ehx7um5wgcjucm0d5hsxx5cc2 I don't see an issue with it because they clearly display SHA256.

Let's take Bitwarden latest release for example. This is a sha for the apk from their GitHub repo (copy/paste)

sha256:fc8c8124650665270925648e0ec35bf7336f26058e3bd72eabf41d859727d220

You will see this same sha displayed in zapstore. Makes no huge difference who signs the release if keys match.

Avatar
Zapstore 1d ago

This is a misconception and conflation of concepts, but it's my fault for not explaining better (although it has been addressed in the latest Zapstore).

Define signing? Indexed apps on Zapstore are simply caching what is on Github -for discoverability which is nil in Obtainium- and signing a Nostr event with that. They are NOT signing the APK. So in this sense it has the exact same level of risk than Obtainium. I would say less, because on Zapstore you can tell what you are about to install, in Obtainium it's not that clear because of lacking metadata.

By default Zapstore will install from the external/original source, and only fall back if it 404'd:

Avatar
Zapstore 1d ago

@nostr:npub1l6scds4yv7xmcsmhqnhdy9sggm520q09lvts2m5mkvecgr2mmmeqsuj5rc we're working on splitting relays for indexed vs developer-signed apps; implementing relay management UI as we speak.

https://github.com/zapstore/zapstore/issues/205

and soon the ability to hide closed source apps:

https://github.com/zapstore/zapstore/issues/197

Hope that brings you back!

Avatar
Matt 1d ago

That would definitely make it easier to use it the way I'm trying to. The app is otherwise quite nice. Just a maintenance headache for me right now. I appreciate the update.

Avatar
Matt 1d ago

I assumed you were building the apps from source as a middle man, then signing that binary and storing it somewhere for Zapstore users to download. "Signed by Zapstore" was vague without understanding what was going on in the background. Signing is even more confusing given that it's over Nostr, where we also sign things.

I didn't realize you were just pulling it from the official repo and "signing" it in whatever sense you mean the term.

Avatar
Matt 1d ago

Or I didn't realize this change was made, if the process has changed. I think the issue is that I felt forced to make assumptions in place of actual understanding. I have concerns about Obtainium too, I just didn't have the whole signing confusion since it's clear that it's being pulled from the link I gave it (with some trust for the software).