"There is no spoon"
I was able to set up a new GrapheneOS for a family member without ever touching droidify or obtanium.
First step, download nostr:nprofile1qqs83nn04fezvsu89p8xg7axjwye2u67errat3dx2um725fs7qnrqlgpz9mhxue69uhkummnw3ezuamfdejj7rn7acz APK directly from their github repo (use Vanadium for this).
Once zapstore is installed you literally never ever have the need for Obtanium again.
And coming soon, add any open source repo directly to the indexer. No need to go through Obtainium any longer
When export/import?
Please explain
Import/export of installed apps via Zapstore to make restoring your apps on a new device easier.
Coming in next milestone via encrypted 30267 event.
https://github.com/zapstore/zapstore/issues/20
No plans for files, you can pull/decrypt the event from relays if necessary
You're so amazing.
My main issue with Zapstore is the number of apps that are signed by Zapstore rather than the developer. It seems to me that you're relying on a single person and key to sign a lot of critical apps (Bitwarden, etc). Where Obtainium at least spreads the risk out (or it seems to anyway). Maybe it has the same problems and I'm mistaken somewhere. nostr:npub10r8xl2njyepcw2zwv3a6dyufj4e4ajx86hz6v4ehu4gnpupxxp7stjt2p8
Either way, I tried Zapstore and just used it for apps like Amber that are signed by the Dev to make myself feel better. I ultimately gave up because Zapstore kept trying to update every app with no way of excluding the ones I didn't want it touching.
nostr:nprofile1qqs0agvxc2jx0rdugdmsfmkjzcyyd698s8jlk9c9d6dmxvuyp4daauspz9mhxue69uhkummnw3ezumrpdejz7qgmwaehxw309a6xsetxdaex2um59ehx7um5wgcjucm0d5hsxx5cc2 I don't see an issue with it because they clearly display SHA256.
Let's take Bitwarden latest release for example. This is a sha for the apk from their GitHub repo (copy/paste)
sha256:fc8c8124650665270925648e0ec35bf7336f26058e3bd72eabf41d859727d220
You will see this same sha displayed in zapstore. Makes no huge difference who signs the release if keys match.
This is a misconception and conflation of concepts, but it's my fault for not explaining better (although it has been addressed in the latest Zapstore).
Define signing? Indexed apps on Zapstore are simply caching what is on Github -for discoverability which is nil in Obtainium- and signing a Nostr event with that. They are NOT signing the APK. So in this sense it has the exact same level of risk than Obtainium. I would say less, because on Zapstore you can tell what you are about to install, in Obtainium it's not that clear because of lacking metadata.
By default Zapstore will install from the external/original source, and only fall back if it 404'd:
@nostr:npub1l6scds4yv7xmcsmhqnhdy9sggm520q09lvts2m5mkvecgr2mmmeqsuj5rc we're working on splitting relays for indexed vs developer-signed apps; implementing relay management UI as we speak.
https://github.com/zapstore/zapstore/issues/205
and soon the ability to hide closed source apps:
https://github.com/zapstore/zapstore/issues/197
Hope that brings you back!
That would definitely make it easier to use it the way I'm trying to. The app is otherwise quite nice. Just a maintenance headache for me right now. I appreciate the update.
I assumed you were building the apps from source as a middle man, then signing that binary and storing it somewhere for Zapstore users to download. "Signed by Zapstore" was vague without understanding what was going on in the background. Signing is even more confusing given that it's over Nostr, where we also sign things.
I didn't realize you were just pulling it from the official repo and "signing" it in whatever sense you mean the term.
Or I didn't realize this change was made, if the process has changed. I think the issue is that I felt forced to make assumptions in place of actual understanding. I have concerns about Obtainium too, I just didn't have the whole signing confusion since it's clear that it's being pulled from the link I gave it (with some trust for the software).
