Replying to Avatar Zapstore

This is a misconception and conflation of concepts, but it's my fault for not explaining better (although it has been addressed in the latest Zapstore).

Define signing? Indexed apps on Zapstore are simply caching what is on Github -for discoverability which is nil in Obtainium- and signing a Nostr event with that. They are NOT signing the APK. So in this sense it has the exact same level of risk than Obtainium. I would say less, because on Zapstore you can tell what you are about to install, in Obtainium it's not that clear because of lacking metadata.

By default Zapstore will install from the external/original source, and only fall back if it 404'd:
Avatar
Matt 21h ago

I assumed you were building the apps from source as a middle man, then signing that binary and storing it somewhere for Zapstore users to download. "Signed by Zapstore" was vague without understanding what was going on in the background. Signing is even more confusing given that it's over Nostr, where we also sign things.

I didn't realize you were just pulling it from the official repo and "signing" it in whatever sense you mean the term.

Reply to this note

Please Login to reply.

Discussion

Avatar
Matt 21h ago

Or I didn't realize this change was made, if the process has changed. I think the issue is that I felt forced to make assumptions in place of actual understanding. I have concerns about Obtainium too, I just didn't have the whole signing confusion since it's clear that it's being pulled from the link I gave it (with some trust for the software).