Oddbean new post about | logout
 nostr:nevent1qqst8tm7fj4fd4zu7d938ltcqqu7e0h2z0kpsxggfgzjapph5tmhjkcpr4mhxue69uhkummnw3ezucnfw33k76twv4ezuum0vd5kzmp0qgs83nn04fezvsu89p8xg7axjwye2u67errat3dx2um725fs7qnrqlgrqsqqqqqpkf4tcw 
 How can I trust in apps signed by you? How I can verify that's the same signature? Your app not even (yet) has integration with AppVerifier like Accrescent 
 Inspect the source code and build the APK yourself. There is a file integrity hash check and an APK certificate hash check but Android enforces this validation anyway. 

For first installs you're choosing to trust AppVerifier and not zap.store, that's okay. I can't change who you trust. 

However, developers will start signing apps via nostr events so on zap.store you'll be able to check that with your web of trust (via a service or manually) 
 Accrescent is too sus.

All communication channels are through well-known compromised locations. Your work is beyond all that from the beginning, please do keep the good work and keep the apps offline. 
 Why GrapheneOS uses this? 
 I have pretty trust on them 
 Because Accrescent comes from the GrapheneOS Community