Zapstore's avatar
Zapstore _@zapstore.dev 2 weeks ago
This is a misconception and conflation of concepts, but it's my fault for not explaining better (although it has been addressed in the latest Zapstore). Define signing? Indexed apps on Zapstore are simply caching what is on Github -for discoverability which is nil in Obtainium- and signing a Nostr event with that. They are NOT signing the APK. So in this sense it has the exact same level of risk than Obtainium. I would say less, because on Zapstore you can tell what you are about to install, in Obtainium it's not that clear because of lacking metadata. By default Zapstore will install from the external/original source, and only fall back if it 404'd: image
↑ Parent

Replies (2)

Zapstore's avatar
Zapstore _@zapstore.dev 2 weeks ago
@@Matt - Just mute me, bro. we're working on splitting relays for indexed vs developer-signed apps; implementing relay management UI as we speak.
GitHub
Allow managing relays · Issue #205 · zapstore/zapstore
The social permissionless app store. Contribute to zapstore/zapstore development by creating an account on GitHub.
 and soon the ability to hide closed source apps:
GitHub
Allow hiding closed source apps · Issue #197 · zapstore/zapstore
Hide | Filter Apps without "Source Repository(No open source)"
 Hope that brings you back!
1 replies ↓
Matt - Just mute me, bro.'s avatar
Matt - Just mute me, bro. matt@gitcitadel.com 2 weeks ago
I assumed you were building the apps from source as a middle man, then signing that binary and storing it somewhere for Zapstore users to download. "Signed by Zapstore" was vague without understanding what was going on in the background. Signing is even more confusing given that it's over Nostr, where we also sign things. I didn't realize you were just pulling it from the official repo and "signing" it in whatever sense you mean the term.
1 replies ↓