Some apps with nostr accounts that do not self publish:
Primal, Minibits, eNuts, Fountain, Aqua Wallet, Nostrmo, Fedi, Voyage, Wavlake, BTC Map, Simplex Chat, Nunchuk Wallet, IVPN
Are you okay with those being indexed/signed by Zapstore?
Would you prefer them to be signed and published by their developers?
If so, poke them to do it! I am happy to guide them through the process
(Bonus: self published apps can be zapped!)
#devstr
Both are fine but having them self-signed is even better!
Thanks notice 🌹.
nostr:npub12vkcxr0luzwp8e673v29eqjhrr7p9vqq8asav85swaepclllj09sylpugg 👀. Both are fine, but ideally each app self publish. thats nicer for the ecosystem.
Maybe tag them here, so they know to reply 😉
I want users to tag them (not me) if they feel it's necessary 😉
You are talking about Android APKs? These are signed by the provider but you are talking about the nostr events being signed by them, too? I think, nobody can stop you from publishing them and it should be secure as the APKs would still keep their provider signatures and over time, let them transition in with their self-published apps. In order to spin up Zapstore I think you have to ask for forgiveness instead of asking for permission.
I am certainly not asking for permission, these APKs are indexed.
APK certificates are outside the nostr ecosystem (unless we use my proposed linked cryptographic identities PR, which I'll add to zapstore-cli) so that doesn't help with the TOFU issue and web of trust.
Your second paragraph doesn't parse well here. Are you proposing a secondary signing scheme on top of the signatures inside the APK files? I thought, APK signatures and TOFU handling was part of the Android OS, so you couldn't work around that neither.
Android does not handle trust on first use, as it allows you to install APKs from any source.
This is what I meant for signatures: https://github.com/nostr-protocol/nips/pull/1335
How does a permission to install non-PlayStore APKs relate to the OS's TOFU?
If you install an app from PlayStore and then try to **update** it with some self-compiled version, you can't because TOFU.
If you installed an app from F-Droid and then try tu update via the PlayStore, you can't because of TOFU (unless if the apk is signed by the same keys).
We're talking about the same thing man, no disagreement. You still need information on provenance when first installing, and the nostr web of trust plus verification is a way of doing that (as opposed to a centralized curator)
Why is the signal app on zap store not the latest?
Because the monkey that is in charge of it is overworked and underpaid
Can you add my release account to whitelist ?
I may release 2 or 3 app later.
This is my release account nostr:npub13jyr30u0x6uxzdcta0p2eh5dza0jhkglpp7mk3z7maej0ycamxgqw0y824 npub13jyr30u0x6uxzdcta0p2eh5dza0jhkglpp7mk3z7maej0ycamxgqw0y824 .
Sure, what's the Android app ID?
Nostrmo - A nostr client.
ID: com.github.haorendashu.nostrmo
Nowser - A nostr signing project like (Amber).
ID: com.github.haorendashu.nowser
CacheRelay - A nostr cache relay for locally use.
ID: com.github.haorendashu.cache_relay
This project will not release very soon. It still need 1 or 2 release.
Sure! I will add you tomorrow
