Oddbean new post about login | logout Would be nice is there was a nostr based pgp key store for nostr apps. Like the devs sign a note with their public pgp keys to a few dedicated relays so we could import them into openkeychain. Lots of updates flying around and it would be nice for users to have a standard way to verify nostr app releases on the phone.
Why not just sign them with your Nostr identity like zap.store is doing?
I am not the signer, I wish to verify the pgp keys in a simple sovereign manner on my device using mutiple apps like openkeychain and hasheasily.
Ok but I guess same question - why not just verify the app is signed using the Nostr identity of the dev you already trust? What does a separate siloed web of trust gain you? pgp was great, but Nostr obsoletes it.
Not sure if I think nostr obsoletes pgp and using multiple self hosted tools to verify is my prefered method. Getting the keys on the phone is an issue because pgp keys get stored in various manners and places. I would like to be able to verify in multiple unique ways if made available. One is none, two is one.
Does a pgp signature give you increased verification over and above what a Nostr signature would?
Perhaps not, however I don't know if even the zap store folks would say it is all the way there yet. I like the idea, but pgp is current standard and having a way to DOUBLE check the zap store would be nice. Once you have the public key, verifying is like a couple taps in couple apps.
when ‘bros’ say ‘bros! this one thing totes obsoletes this other thing, bros!’ i always keep the other thing around because bros are almost never completely right. theyre only sure they’re completely right.
Would be interesting to see a shift towards signing releases with Nostr keys more generally
I think nostr app devs will start to add it
An easy way to do it might be in the works 🤫 maybe
One of zap.store goals is to finish what PGP never could. I share your concern and to bridge the PGP-nostr gap we have NIP-39 cryptographic identities that soon will be integrated into zapstore-cli. https://github.com/nostr-protocol/nips/pull/1335 Other tools could be built to leverage these events and feed them into Openkeychain for example. That said, you mention "updates" and a phone which I suppose is Android. Keep in mind that the OS handles this verification for you, so no worries except on first install. nostr:nevent1qqs0jls3pxsvs792443sdlg8f673f237hx4gfe3f5gl9fq3uv2a0zngpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsyg8dk3czwy5h43dxrunh70x3fhj5celttnxjpmcdnhefhcvxskasqspsgqqqqqqsmtjg7h