It’s weird! But it seems that in the middle of Friday the #AppleStore is down! 👀

How can I trust in apps signed by you? How I can verify that's the same signature? Your app not even (yet) has integration with AppVerifier like Accrescent

Accrescent's catalog is maintained by a respected community member and checks dev signatures on a third-party database on Github. Correct me if I'm wrong.

While zap.store currently is more or less that, we're aiming to change the status quo trust model.

Users will be able to cryptographically verify an artifact came from a developer using nostr. They can do so directly, relying on a web-of-trust check, or indirectly via curators (choose your own walled gardens).

In addition, we're targeting multiple operating systems and other features like relay-based communities, the ability to zap apps and developers, a marketplace for new apps and more.

By the way, the zap store is not working on my end. Once I click "Updating on device," nothing happens.

Nostr or the like wont be involved for Accrescent, it's been designed to compliment GrapheneOS to be a private and secure app store in the same fashion that GrapheneOS is. There had been interests for us using Accrescent for a long time and this addition coming in a time where people are into using other app stores is just a coincidence. Accrescent has been in active development and maintenance since 2021 and we had expressed interest to mirror it in our Apps app for a while.

> Accrescent's catalog is maintained by a respected community member and checks dev signatures on a third-party database on Github. Correct me if I'm wrong.

This is not done through GitHub rather Accrescent's own hosted infrastructure. When you open the app it will download the current repository metadata JSON which has the app names, ID, signing cert hashes, etc.

> Users will be able to cryptographically verify an artifact came from a developer using nostr. They can do so directly, relying on a web-of-trust check, or indirectly via curators (choose your own walled gardens).

For Accrescent, apps are verified by key pinning of the apps and signing of the app store's repository data. The repository is signed by Accrescent and verified with the repository data public key (hard coded into the app) before it can be fetched. It has downgrade protection and also has a minimum revision hard coded to protect against being served old metadata on first use. It also can support key rotation.

Downloading an app will make the client check the signed repository metadata and compare the app's certificate hash, minimum version, and app name from the signed repository metadata. If any of the parameters do not match it will not install the app for you. For updates it does not matter as Android won't let you update apps with a different certificate than your currently installed version.

Minimum version protects against first install of an insecure, older version, and app name protects against malicious copycat apps.

When someone submits an app on the Accrescent developer console (whitelist only right now) for the first time, it will put a hash of their app's signing key to the repository metadata. This makes sure users are only downloading apps by the real developer.

Also HeliBoard debug is listed instead of a release version. I reported this via in app feedback but I'm not sure if that works