Would be nice is there was a nostr based pgp key store for nostr apps. Like the devs sign a note with their public pgp keys to a few dedicated relays so we could import them into openkeychain.
Lots of updates flying around and it would be nice for users to have a standard way to verify nostr app releases on the phone.
Why not just sign them with your Nostr identity like zap.store is doing?
I am not the signer, I wish to verify the pgp keys in a simple sovereign manner on my device using mutiple apps like openkeychain and hasheasily.
Ok but I guess same question - why not just verify the app is signed using the Nostr identity of the dev you already trust? What does a separate siloed web of trust gain you?
pgp was great, but Nostr obsoletes it.
Not sure if I think nostr obsoletes pgp and using multiple self hosted tools to verify is my prefered method. Getting the keys on the phone is an issue because pgp keys get stored in various manners and places. I would like to be able to verify in multiple unique ways if made available. One is none, two is one.
Does a pgp signature give you increased verification over and above what a Nostr signature would?
when ‘bros’ say ‘bros! this one thing totes obsoletes this other thing, bros!’
i always keep the other thing around because bros are almost never completely right. theyre only sure they’re completely right.
One of zap.store goals is to finish what PGP never could.
I share your concern and to bridge the PGP-nostr gap we have NIP-39 cryptographic identities that soon will be integrated into zapstore-cli.
https://github.com/nostr-protocol/nips/pull/1335
Other tools could be built to leverage these events and feed them into Openkeychain for example.
That said, you mention "updates" and a phone which I suppose is Android. Keep in mind that the OS handles this verification for you, so no worries except on first install.
