Oddbean

Details, please! Is this PWA distribution via nostr events? Or is the PWA signature on nostr? What is signed there? I'm very eager to learn for WalletScrutiny where I had PWAs kind of dismissed as impossible to get secure against hacked servers for example.

On Google phones, the OS won't let you down-grade apps or upgrade them to a version that's signed by a different key. I want this for PWAs. Of course, as admin I want to be able to override it but it would be great to have such a lock-in that no random hacker on a webserver could circumvent.

This product is using NIP-94 (and another NIP coming up soon) for the distribution and verification of artifacts Android enforces TOFU and pinning at the OS level (APK are signed), PWAs have none of this. Installing them via zap.store can emulate these features (same signature for updates, prevent downgrading)

TOFU 😁 I was not familiar with "trust on first use" being called that. I'm very excited about app distribution via nostr. This might be the killer app but then again, the social graph might on its own be the killer feature many tiny baby killer apps build on. Lets make the App Store obsolete! (followed)

I did not get involved when drafting BIP94 but now I wonder why URL is not optional when it might be used for torrents and why there is no filename. The fallback is also not well specked. Is fallback allowed to occur multiple times or may it be `[fallback, fallback1, fallback2, ...]`

You can mitigate this with external code verifiers: - that get payed to do that 👉 Verifiers DVM's - that pay to do that 👉 early beta access (and then of course we need key rotation asap for way more reasons than just this)

The framework that I like to think in is "desirables vs undesirables": - If the user action is desirable, the user should be rewarded sats. - If the users gets value from the content, they should be nudged to voluntarily pay sats for it. - If the action is undesirable it should cost sats.

I'm assuming that not all people in your web of trust need to verify the app. So there will be some threshold. E.g. "at least 3 people in your WOT with score over 5 verified app ABC". And then yeah, 2 people could be hacked, especially over longer term. There are definitely ways to mitigate these issues...

Maybe? Are you thinking that when a new person verifies the app, the verification has to get interactively signed (with multisig) by other people? Or are you thinking co-signing with the store or some verification system paid for co-verifying?

With the likelihood of multiple secret key being compromised, a release has to get X number of signatures before considered verified by clients and thus downloadable. Whether the signatures are independent or m-of-n multi-sig is something to explore. In the case of paying for co-verifying I think it will have the wrong incentives if an invalid verification isn’t penalized somehow and the affected users reimbursed?

Could you please explain this to me like I'm completely stupid? 😃 Let's say there are 5 users that already have solid WOT score. Now 2 of them get hacked and hacker installs and "verifies" an AppX. Unless the other users get somehow notified of the hack, they will see the AppX as "verified" and may potentially install the app too, no? What would prevent it? Some lower bound limits on how many people are needed to "verify"?

Very much counting on it 👌 nostr:nevent1qvzqqqqqqypzp22rfmsktmgpk2rtan7zwu00zuzax5maq5dnsu5g3xxvqr2u3pd7qy88wumn8ghj7mn0wvhxcmmv9uq3zamnwvaz7tmwdaehgu3wwa5kuef0qqsgz5n6f2hkn5l7sehw05fh8lqaelyjhc4mleerdknd3wsrpaks7rsl0tzxm

An app on my phone which I intended to use for setting up a watch only wallet for my cold card somehow managed to get at my cold card keys when I sent the QR of my wallet descriptor to it. Dumb move. Definitely a case of just enough knowledge being dangerous. It was able to sign and broadcast a transaction but the transaction couldn’t seem to confirm fully on chain. It was pending for three hours while I scrambled to figure out how to replace-by -fee all the UTXO’s to a temp location. I still don’t understand despite the app (or whomever harvested my keys off it) being able to sign the transaction and broadcast it, the transaction wouldn’t be added to a block even though the estimated time to confirmation came and went a couple of times. At one point the estimated time to confirmation was down to 10 minutes and no bars had filled to indicate that any of the one of six confirmations had occurred. Maybe because I’m always fully air gapped with my setup. I came very close to losing my whole stack. I just about had a heart attack when I looked at the unauthorized transaction and it showed a couple dozen UXO’s funnelling down to one unknown address in a single transaction. Not to mention the friggin heart attack I had moving all of my UXO’s to a temporary address all in one shot, knowing that if I got even one letter incorrect in the receiving address that I was going to lose everything. Then, once the cold cards were wiped and reestablished with new seeds, I had to move everything again. The whole thing freaked me out to the point where I found myself incessantly checking my wallets’ balances all week to make sure that I had indeed isolated the source of the exploit. If I had watched this week’s price action play out without my stack in my possession I would’ve jumped off the roof headfirst. Lol.

Pretty wild to look back at the first version ever of zap.store, 8 months ago. We had no Android, no APKs, no custom relay, no Dart library, no indexer, no CLI... what a ride! nostr:nevent1qqstex2gzczpkxcmkq7z75p3zg9xn4p0kcw2r0sfw0jdmvuep6x8lsgprpmhxue69uhkummnw3ezuendwsh8w6t69e3xj730qgs04xzt6ldm9qhs0ctw0t58kf4z57umjzmjg6jywu0seadwtqqc75srqsqqqqqpny2hvn