One of zap.store goals is to finish what PGP never could. I share your concern and to bridge the PGP-nostr gap we have NIP-39 cryptographic identities that soon will be integrated into zapstore-cli. https://github.com/nostr-protocol/nips/pull/1335 Other tools could be built to leverage these events and feed them into Openkeychain for example. That said, you mention "updates" and a phone which I suppose is Android. Keep in mind that the OS handles this verification for you, so no worries except on first install. nostr:nevent1qqs0jls3pxsvs792443sdlg8f673f237hx4gfe3f5gl9fq3uv2a0zngpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsyg8dk3czwy5h43dxrunh70x3fhj5celttnxjpmcdnhefhcvxskasqspsgqqqqqqsmtjg7h
So it’s just trust me bro on the first download?
That's the whole point of app stores
Is there not a open source website that checks the hashes?
Owned by whom?
So that’s a no?
Are you familiar with https://gnupg.org/ ?
Can you eli5 how to use the cli on a Motorola android phone?
No, sorry. For now I use laptop, but plan to explore https://termux.dev when I have time
Which hashes? Can you explain what your goal is?
I just want to check the 256 hash of the download to verify the integrity of the download. How do I do this on a droid with out using the App Store first? I would need to check the 256 hash with an online tool right? If the hash’s match I can trust everything?
Hashes are good, but ultimately public/private key cryptography is needed in some form to ensure trust minimized to just signer/dev (holder of private key)
Are you saying the initials zap.store download is verified by our nostr keys then?
zap.store does this for you, but you are right that for verifying zap.store itself you need to either trust the domain or verify the hash. This is why we publish hashes in our nostr profile. If you already have AppVerifier, that's one way. Or you could do it in the computer. Would be nice to have tutorials for both
That’s why I asked about a website to check as I do not have either(pc or app) to check the hashes.
I'm not against it but you need to trust the website host then. Ideally we want multiple websites pulling these events. https://zap.store eventually will show this info, and then something like an app in nostrudel "more" could work too