Matt - Just mute me, bro.'s avatar
Matt - Just mute me, bro. matt@gitcitadel.com 3 weeks ago
My main issue with Zapstore is the number of apps that are signed by Zapstore rather than the developer. It seems to me that you're relying on a single person and key to sign a lot of critical apps (Bitwarden, etc). Where Obtainium at least spreads the risk out (or it seems to anyway). Maybe it has the same problems and I'm mistaken somewhere. @Zapstore Either way, I tried Zapstore and just used it for apps like Amber that are signed by the Dev to make myself feel better. I ultimately gave up because Zapstore kept trying to update every app with no way of excluding the ones I didn't want it touching.
↑ Parent

Replies (2)

Default avatar
invisibull 3 weeks ago
@Matt - Just mute me, bro. I don't see an issue with it because they clearly display SHA256. Let's take Bitwarden latest release for example. This is a sha for the apk from their GitHub repo (copy/paste) sha256:fc8c8124650665270925648e0ec35bf7336f26058e3bd72eabf41d859727d220 You will see this same sha displayed in zapstore. Makes no huge difference who signs the release if keys match.
Zapstore's avatar
Zapstore _@zapstore.dev 3 weeks ago
This is a misconception and conflation of concepts, but it's my fault for not explaining better (although it has been addressed in the latest Zapstore). Define signing? Indexed apps on Zapstore are simply caching what is on Github -for discoverability which is nil in Obtainium- and signing a Nostr event with that. They are NOT signing the APK. So in this sense it has the exact same level of risk than Obtainium. I would say less, because on Zapstore you can tell what you are about to install, in Obtainium it's not that clear because of lacking metadata. By default Zapstore will install from the external/original source, and only fall back if it 404'd: image
2 replies ↓