Developers – join zap.store!

There are a few different ways of linking app releases to a developer's nostr profile.

Which one would you prefer to use first? Where are you comfortable storing your product's nsec or your own? We appreciate any feedback!

(If you need more context see here)

1. NIP-69. All Android APKs are signed by a certificate you hold the keys of. Identity can be established by linking this certificate to a nostr pubkey via NIP-69. It also works for PGP keys.

   • Pros: sign just one event, set and forget (until the PGP key or certificate expires or is compromised)
   • Cons: many developers use Github Actions and have given this signing key to Github, also: the need to remember to revoke the link (NIP-69) in the case of a compromised certificate

2. NIP-46 Github Action. Include a remote signer (bunker) Github Action in your build process to automatically sign releases.

   • Pros: Automated, set and forget
   • Cons: Requires setting up and operating a NIP-46 bunker (or entrusting someone else to); requires some sort of secret token for the Action to request a signature – arguably much better than giving Github a private key which is currently common practice.

3. Signature reminders. zap.store automatically scans for new releases on Github and other build systems and can notify their developers via DM, sending them a link to (1) a web page where they can input an artifact (or a link to it) and sign the release with Alby or similar; (2) use a CLI tool that we'll build for this purpose; (3) sign inside the zap.store app via Amber

   • Pros: the most direct, accurate and secure way of ensuring a release belongs to a developer
   • Cons: manual work

You can DM @franzap here or leave a comment on our Github issue.