Replying to page394

So it basically comes down to the initial downloading of an app right? If that’s signed correctly with the developer’s keys, then it can’t be replaced with a malicious version later no matter the “app store” you use right? (Excluding f-droid b/c of wonky signing policies)

So for most users Google Play is the right answer, but there are tradeoffs to consider.

Obtainium seems to be a powerful option here if you’re comfortable finding the source location yourself (only risk remaining is that the dev keys themselves are compromised which also would risk the other app stores?). This seems most like a desktop, download software from source, but with a nice consolidated updater.

Idk for me it feels like getting most software through Obtainium would be ideal and fallback to Google Play for apps that aren’t listed anywhere else. I’d only do this with a fully anonymous Google account tho (is this even possible anymore?)
91
page394 2y ago

Would be cool to have nostr used for software, publishing hashes of each release.

So for #[5]​ somehow you’d post hashes of each Envoy release to nostr (one note+replies?) and Obtainium could have a “nostr hash verified” section when you add an app so it will additionally check a specific nostr note/thread for the most recently posted hash signed by #[6]​ npub, must match hash of APK update before installing.

So both dev keys and nostr keys would have to compromised to trick Obtainium then. Any obvious pitfalls here? #[4]

Reply to this note

Please Login to reply.

Discussion

91
page394 2y ago

Other than complication. But ppl who want simplicity get iPhones so