checker to reject (or ask for confirmation) F-Droid signed APKs

Alice recommends Bob download amethyst using zap.store

add link

-npub can create a curated list
-end user can see curations by npubs in their WOT, or featured npubs

via @NielLiesmons
https://www.figma.com/file/dpR0Ig0hzKwPYlDfSP9q8K/Zap.store?type=design&node-id=4-4&mode=design&t=bUS2plx1SHjr91MH-0

Different options will be offered in order for them to verify their apps on zap.store:

• signing up for DM reminders of "hey you just made a release, sign your app/release/metadata" by visiting this website or using this CLI tool (active)
• if using Github, integrate a Github action that takes either an nsec or connects to a bunker with an auth token (set and forget)
• sign a NIP-69 linking their PGP key or APK certificate (set and forget), used in combination with the delegation tags (p/zap)

Can use github labels as a start, and also more consumer friendly appstore labels

Games: action, racing, strategy ...

Apps: entertainment, social networking, lifestyle, photo & video, education, health & fitness, productivity utilities, books, sports, music, business, graphics & design, navigation, reference, travel, news, finance, medical, weather...

user story

TBC

• badges (apart from ability to receive zaps) to incentivize developers to join
• curation badges, for example "Privacy Badge" for good quality app that respects user privacy

Eg signal, mullvad

https://njump.me/nevent1qvzqqqqqqypzqv78gsnl8v4h840r3ulxexguzg49t5syqu34daca5jdqugylk62qqywhwumn8ghj7mn0wd68ytnzd96xxmmfdejhytnnda3kjctv9uqsuamnwvaz7tmwdaejumr0dshsqgqv5354qhykqtct4fa9dzyef385n93w0anktt79zynl62s6e88x95l7hk5g

(but Mutiny was fine)

What signature method do devs use to sign their Android app

-first check github
-as needed, ask exploration open ended questions on PGP/cert/NIP-69, bunker, or some other authentication method etc.

1. Vitor / Amethyst (uses actions and shares secrets with github) @fr4nzap
2. Miljan / Primal (uses actions and shares secrets with github) @alltheseas to confirm =>
3. Amber / GreenArt (uses actions and shares secrets with github) @fr4nzap
4. Mutiny / Tony/Ben/Paul (uses actions and shares secrets with github) @fr4nzap
5. Blixt - @alltheseas No
6. Minibits (uses actions and shares secrets with codepush - also from microsoft) @fr4nzap
7. Nostrband - @fr4nzap
8. 0xChat - @alltheseas No
9. SimpleX (unsure, appears to be signing on local device? need to ask) @alltheseas No
10. Zeus (unsure, appears to be signing on local device but has build action? need to ask) @alltheseas No

Other apps after these: https://primal.net/e/note1a3wt62zht0v8yfhy27g68ctzt62z3wfk68g6rvcu0cs07vw0rycsxtnyfc

69 spec - PGP/cert <-> nsec NIP-69 draft

@fr4nzap to publish draft
@alltheseas to create simple flow chart

user story

TBC

Requires #3

Sebas had made one, APKDeepLens?

Download APK link and instructions to manually verify it with open source tools

what happens

In order to see any apps, I must first:

1. sign in (see #11 demo mode), and
2. search.

suggestion

Is it possible to surface apps without having to search (step 2) above?

design

How might this look like @NielLiesmons ?

builds on / related to

#11

Feedback by @gzuuus

https://njump.me/note18t3h5q23llzjqxue4x0sxvnx8pprv73cuwynrp3fl7rt6z303kssv6tt5p

• app reviews #32
• ratings #33
• user reports #34

implementation suggestions

• Once signing capabilities are added to the app, let users rate the app (maybe a number between 0 and 100, inclusive similar to the NIP-77 PR).
• Users should also be able to add a review and suggest the app to their followers.
• Users should be able to report an app using NIP-56, and their followers should see the reports when checking out that app. Maybe also allow sending the report to zap.store using a P tag as per this PR

user story

As a ZapStore customer, I would like to be able to see which of my follows use an app, so that I can have greater confidence that this app is neither a scam nor has crap user experience.

acceptance criteria

1. Via web of trust show me which of my follows use an app

implementation details

1. Customer can input their (or someone else's) nostr pubkey (npub)
2. Copypasta method
3. Nip-07 extension supported

Privacy is a fundamental value at zap.store . Any privacy issues are unintentional and due to lack of time not malice, we're not fucking Google

Keyboard coming up and down is annoying to some people

https://njump.me/nevent1qqs8ydcys5mescp72mud50vydmc5p4u7j8n8lezk3yvp5xxfafqgulqpr4mhxue69uhhyetvv9ujumn0wd68ytnhd9ex2erwv46zu6nsqyvhwumn8ghj7urewfsk66ty9enxjct5dfskvtnrdakszrthwden5te0dehhxtnvdakqz9thwden5te0v4jx2m3wdehhxarj9ekxzmny0rt3xz

Requires some combination of

• zaps #39
• prepay visualization / method #64
• proof of missed zaps #61
• user receives notification of impending subscription expiration and/or impending subscription renewal #65
• developer/app can add a lightning address #66
• user can see and manage their subscriptions #67
• zapstore % fee #68

future/unvalidated/undefined

• recurring subscription NWC (for instance, see mutiny sub) (unclear if there is a practical, working NWC recurring pre-authorized subscription yet)
• ZS can provide a placeholder LN address on dev's behalf
• newbie dev can "onboard" to ZS

A user (dev) should be able to declare that a particular version of any app is reproducible (or not) from a particular commit or release tag. Show warnings when a dev in your WoT says they have failed to generate a reproduced build.

According to the official specs page, Redmi 9i (Model: M2006C3LII) has the following CPU configuration:

MediaTek Helio G25
CPU: MediaTek Helio G25, octa-core processor
8X Cortex-A53 cores 2.0GHz

8X Cortex-A53 cores 1.5GHz
ARM GE8320 clocked up to 650MHz

Which means the APK which is released for arm64-v8a, should be installable on the phone?
But it can't be installed on my phone at all.
Also tried installing it via ADB by downloading the APK to my laptop first and got this:

$ adb install zapstore.apk

Performing Streamed Install
adb: failed to install zapstore.apk:
Failure [INSTALL_FAILED_NO_MATCHING_ABIS: Failed to extract native libraries, res=-113]

user story

As ZapStore lead maintainer, I would like to be able to allow app devs to sign up for signing their app through the zapstore website via nostr, so that their apps appear authenticated by dev on ZapStore.

acceptance criteria

1. There is a method to sign up via nostr on the dev ZapStore landing page
2. Dev is DM'd immediately on nostr
3. If auth process is not completed dev is reminded in 1 hour, 8 hours, and every 24 hours thereafter
4. Reminders are turned off if dev completes auth
5. Reminders are turned on every new release, and turned off until dev signs

implementation details & open questions

1. takes place via nostr DM
2. can dev sign with npub, and do the rest via nostr, or in another app?
3. must sign in take place with nsec

signing up for DM reminders of "hey you just made a release, sign your app/release/metadata" by visiting this website or using this CLI tool (active)

Show this in the app detail screen.

If no API available, build one

• exodus-privacy
• https://www.virustotal.com/
• https://themarkup.org/blacklight

Until we implement #24

user story

As a newbie who has would like to have the "correct" apps installed as recommended by my friend, I would like way to use my trusted friend's recommendations on what apps I should use, so that I can hit the ground running as a newly minted sovereign individual.

acceptance criteria

1. there is a method to input a list of apps to be installed as recommended by my friend
2. conversely, my friend can select & recommend a list of apps to me from zapstore #52
3. there is a method to verify that I am using my trusted friend's recommendations, and not someone else's recommendations
4. there is a method to tap review my friend's app recommendations
5. there is a method to deselect/select apps to be installed from my friend's recommendations
6. there is a button to install selected/install all apps

questions & implementation

-what if some apps are already installed?
-can my friend pre-configure certain apps. for instance:

1. my friend has pre-configured my nostr social media app with specific relays
2. my friend has pre-configured my LN wallet with a starting balance, joined a mint, selected a LSP etc..

prerequisite

#20

what happens

After I log in with e.g. [email protected], and close the app, zap.store forgets that I was logged in. I have to log in again.

suggestion

Remember that / keep me logged in, until I log out.

In case of new android device

what happens

When I enter a search term, and I receive results, after I clear the search box nothing happens. Search results remain.

After I hit the home button, nothing happens Search results remain.

Suggestion

Consider clearing search results.

Design

What's the expected pattern here @NielLiesmons ?

user story

As a zap.store enthusiast, I would like to submit another dev's app to zap.store, so that the zap.store app library becomes more valuable for me and others.

acceptance criteria

1. there is a method to suggest an app to zap.store
2. required field: provide repo where APK can be found
3. optional field: provide repo where SHA256 can be found

user story

TBC

Currently WOT is absent on app results screen. This is useful info to know before investigating an app in detailed app view.

Building on nostr means to be interoperable but I can't find which kinds of events are being used here.

I ask because I maintain the probably biggest repository of Bitcoin wallet apps at WalletScrutiny.com where we also recently started to add ratings for apps and I would like to have synergy between the two projects as early as possible.

Button to clear local storage (and restart persistence)

what happens currently

I can log in as a single user - e.g. [email protected]

what I would like to do

I would like to do log in as a few different users simultaneously, so that I can combine the WOT for extra signal.

https://njump.me/note1n4qfvqnle0fds5phqwv9lp25qx0p7m6yvmulrt50zw0qrkzvu5hqr6puq5

TBC

related to

WOT app usage #4

I'm writing a README.md file which can help with your develop.
If there's a specific topic or documentation to add, I would be happy to contribute.

Requires #3

So that I can demo the app right away, start in logged in as [email protected], and clearly display "logged in as [email protected]".

Add a method to log in as other npub.

Add the initializer to bigger form factors

Have a button for users to send a non personally identifiable debug log when shit goes wrong

See https://njump.me/nevent1qvzqqqqqqypzq52yl6y07sjnceqga6yuulawdagpmpzen0zm69qpf5ywfz2c04d0qyv8wumn8ghj7mn0wd68ytnxd46zuamf0ghxy6t69uq32amnwvaz7tmwdaehgu3wdau8gu3wv3jhvtcqyrswu6jaskxzp0c6ss5efnsgyh0zkqzznpuyapjd57c3rptu2ugcwt9y8st