Replying to Avatar DanConwayDev

I'm not suggesting you should as it would shift your focus from building zap.store into QAing apps. Using a f-driod type issuer of releases would prevent the developers from issuing malicious binaries for non-reproducible builds but enable the issuer to do so. I don't think the incentives are there for anyone to take on that role.

The nature of the trust attestations and how they are interperted is the tricky bit. Probably much easier to critise than design.
Avatar
ChipTuner 1y ago

To complement your example, I have been enjoying obtainium. Code directly from the developer. If I could I would want an app store that I can manually enter developer's keys into or do an openssh style "do you want to save this key" on first download, then subsequent updates will validate signatures as they are released. If the developer changes their keys, it should be a manual process or lots of blinking read lights. I don't want to trust an app store, like the case for F-Droid. I understand why they do it, but I like the model of, hey get this package from it's owner.

Reply to this note

Please Login to reply.

Discussion

Avatar
DanConwayDev 1y ago

Its not obvious but this happens by default with APK installed on android. The app must be signed with the a key and the key must match the already installed version.

Choosing the correct app when you first install it is the key.

Avatar
frphank 1y ago

Apps from Google Play are signed by Google though not by the devs (anymore) and it's missing the UI part where it asks on override. I think that's what he wants.

Avatar
ChipTuner 1y ago

Yes, but I'm speaking for a world outside of smart phones

Avatar
DanConwayDev 1y ago

For sure. That would be great.

Avatar
franzap 1y ago

you just described zap.store 😄

And yeah TOFU is the way. Android does it and we'll be bringing that to other OSes