As far as I am aware, that is to do with the listing of the app on Zapstore itself? The app certificates are separate mechanism to it? A social graph can't really help an emerging, anonymous developer so I'd like to see more app listings by developers encouraged rather than mirrors. Big reason I haven't touched Ashigaru much yet. Having an identity provider like Nostr allows an account system with a form or accountability where malicious or compromised apps could then be warned or removed. if I could filter app listings that are signed only by their app developer in the future that would be a plus. I am only using Zapstore for Nostr related apps whose listings are signed by the app's developers at the moment. I do like that the UI shows the certificate hash, so it helps to update apps. I would still want to check directly for first installs. The remaining GrapheneOS team said they'd look into what could be suggested for Zapstore in the future. I am very busy to do this alone, nor to get all the information on the app. I'm also aware there's a big overhaul going around so I think now wouldn't be good timing.

Regarding getting the team looking into it I would also need to explain Nostr further as they don't know. It is a given but things to do with Nostr aren't ever going to be bundled in GrapheneOS. No third-party apps or services. I also am not going to campaign for Nostr as a thing GrapheneOS to adopt at scale, it's strictly a mobile security project and I see them as very different things that users of both can have quite similar goals with, but many separately. Same justification we don't make anything crypto. Not everything must be Nostr-fied and having an app ecosystem users can choose to install is perfect as is for me. There's a lot of room for error with normies and Nostr just like cryptocurrencies. We still have people self-custodying millions of dollars on their phone and getting pwned. Solution made, now needs to be useable. Many in the GrapheneOS channel space not so interested in Nostr social media but White Noise and Keychat yes.

Correct, it is fully independent from the app signing key. Maybe we can connect the two somehow. @npub1wf4p...dgh9 is the creator there and can help you clarify how it works for other folks. But basically, it is web of trust for listings. Better than KYCing devs, IMO.

Don't force it. People should see the need for nostr before trying to do anything here. In some circles, the way to sell it is by saying the nostr is the PGP that caugh on.

I don't think it would be possible unless the app store pins an npub to a signing key or group of signing keys. Other npubs couldn't then pin the same. I am concerned this approach may be primitive and I just thought of this as I saw your reply. Would have to brainstorm. My assumptions are exact on how Zapstore works then. We seriously need more online identity layers not reliant on a KYC'd or centralised platform, but they'll always be used because they can be recovered and their login mechanisms are undeniably far more secure. It's a trade off but I guess it's worth it in this space. When an npub is pwned it is pwned for life. No account recoveries, no password resets, nothing... A passphrase derivation for npubs could solve some issues but still a provider would need to set up their own account system to provide 2FA to prevent a phishing attack. Google SSO may not be so private but it is extremely secure if your account is... Bunkers or signer apps like Amber may alleviate concerns but then you're entirely reliant on your device's security.

PGP is a utility for encryption / signing people tried to adopt as an identity but never could because it never designed to be. It is primitive and obsolete. Tools like age, signify and kryptor solve PGP by being a far more useable encryption / signing utility. Systems like Nostr and anything to compete against it solved having a cryptographic online identity. I have mostly recommended to avoid the social media side of it. Look at Nostr in a simplest form: a keypair as an identity.

I agree with avoiding the social media part, but not the social graph. That's the difference between pgp and nostr: the graph of people signing on top of each other. In other words, every Twitter thread is a different blockchain.

Yes. I just mean strictly a social media is something I avoid when describing nostr. Social graph falls more under identity for me since you can have this same social graph system on other identity providers too, for example a federated social media's instance admins trusting admins of other instances to federate. Nostr at least can split this down to an individual level rather than a single authority that individual trusts to trust on their behalf. A lot of users in channels in our space think Nostr is just "Bitcoin Bro Twitter", and some call npubs an account, which isn't exact. I don't blame them. Nostr as a social media reminds me of a hyper-accelerated Twitter. Where Facebook is mostly between a friend circle, Twitter was far more out in the open, Nostr as a social media just expands that IMO. We have a very private space so people who want privacy wouldn't really use Nostr at all, they'd use a centralised social media they can private and lock posts to just people they want... Bluesky provides tons of restrictions on that.

* I don't blame them since it's very different from what they are used to.

Yeah, I wouldn't call that privacy, though. It's just the human need to control each other. People love that and most normies think they need or want that. It takes a while to convince them otherwise.

I've had the idea of using pgp as 2fa for nostr

One of the underrated (and under developed) features of zapstore is that regular users can sign and recommend the application of another developer. This way even anonymous devs can get some reach if they lobby known npubs to endorse them. "At least we're all in the same boat if its malware."

I'm looking forward to FROST/multisig for Nostr. We might not be there yet but we are going to surpass the security of Google SSO.

Thank you Final. I will be in touch when I feel Zapstore has a more solid pitch for Graphene, and I will be seeking feedback from there

The AppVerifier TOFU UX is subpar in my opinion (better than PGP though). Zapstore aims to improve on this, add malware/privacy checks, reproducibility attestations and more. As well as discovery and monetization - two big issues for open source developers in particular.

There is an effort to link npubs with APK signing keys:

GitHub

NIP-39 cryptographic identities by franzaps · Pull Request #1335 · nostr-protocol/nips

Rendered Following the discussion on #1182 I have: Integrated my changes onto NIP-39 (from what was NIP-69) Updated the PGP type according to http...

@Final if you have any comments on it I would appreciate it