Nostr Web Client

My main issue with Zapstore is the number of apps that are signed by Zapstore rather than the developer. It seems to me that you're relying on a single person and key to sign a lot of critical apps (Bitwarden, etc). Where Obtainium at least spreads the risk out (or it seems to anyway). Maybe it has the same problems and I'm mistaken somewhere. nostr:npub10r8xl2njyepcw2zwv3a6dyufj4e4ajx86hz6v4ehu4gnpupxxp7stjt2p8

Either way, I tried Zapstore and just used it for apps like Amber that are signed by the Dev to make myself feel better. I ultimately gave up because Zapstore kept trying to update every app with no way of excluding the ones I didn't want it touching.

Zapstore 1d ago

This is a misconception and conflation of concepts, but it's my fault for not explaining better (although it has been addressed in the latest Zapstore).

Define signing? Indexed apps on Zapstore are simply caching what is on Github -for discoverability which is nil in Obtainium- and signing a Nostr event with that. They are NOT signing the APK. So in this sense it has the exact same level of risk than Obtainium. I would say less, because on Zapstore you can tell what you are about to install, in Obtainium it's not that clear because of lacking metadata.

By default Zapstore will install from the external/original source, and only fall back if it 404'd:

Reply to this note

Please Login to reply.

Discussion

Zapstore 1d ago

@nostr:npub1l6scds4yv7xmcsmhqnhdy9sggm520q09lvts2m5mkvecgr2mmmeqsuj5rc we're working on splitting relays for indexed vs developer-signed apps; implementing relay management UI as we speak.

https://github.com/zapstore/zapstore/issues/205

and soon the ability to hide closed source apps:

https://github.com/zapstore/zapstore/issues/197

Hope that brings you back!

Matt 1d ago

That would definitely make it easier to use it the way I'm trying to. The app is otherwise quite nice. Just a maintenance headache for me right now. I appreciate the update.

Matt 1d ago

I assumed you were building the apps from source as a middle man, then signing that binary and storing it somewhere for Zapstore users to download. "Signed by Zapstore" was vague without understanding what was going on in the background. Signing is even more confusing given that it's over Nostr, where we also sign things.

I didn't realize you were just pulling it from the official repo and "signing" it in whatever sense you mean the term.

Matt 1d ago

Or I didn't realize this change was made, if the process has changed. I think the issue is that I felt forced to make assumptions in place of actual understanding. I have concerns about Obtainium too, I just didn't have the whole signing confusion since it's clear that it's being pulled from the link I gave it (with some trust for the software).