Event JSON
{
"id": "cb39011cfd12e93ad211f841c459010d23443a9eac429694662775e084d70529",
"pubkey": "d70d50091504b992d1838822af245d5f6b3a16b82d917acb7924cef61ed4acee",
"created_at": 1735844538,
"kind": 1,
"tags": [
[
"e",
"b4a71169ce8981c84224102ac768ffce0a917cf1a154964158983b0d32bdef03",
"",
"root"
],
[
"e",
"c1715aca7580e0836177aba2074507a5f0947847ad802e7e7958cf715bcb5ceb"
],
[
"e",
"84b7a248b00044614cc2911f921d45633d8e97739c718bc5621059f542baadb0",
"",
"reply"
],
[
"p",
"22f7161f76e075b9e0a250a447884ac09b04b636effd7c703a92394ed3fb39e8"
],
[
"p",
"d70d50091504b992d1838822af245d5f6b3a16b82d917acb7924cef61ed4acee"
],
[
"r",
"zap.store"
],
[
"r",
"zap.store"
],
[
"r",
"zap.store"
],
[
"r",
"zap.store"
],
[
"r",
"zap.store"
],
[
"r",
"zap.store"
]
],
"content": "My bet is it's zap.store signs a bunch stuff themselves. For example, primal on zap.store is signed by zap.store and that is probably the zap.store dev doing the link aggregating from github you're talking about, but this kinda defeats the purpose IMO, but olas for example has a pipeline that signs and publishes to zap.store, which is how it's supposed to be used. Otherwise you're basically just substituting your trust of Google to zap.store supported by a web of trust (most of which probably don't know what the fuck they're actually downloading) ",
"sig": "ea85772772d8587f1a80a1d281341082b825bbfeb9486f791c3e7e09679ac567d8b042ca575bc09a12e03f7d4dda4d4cffb01aeefacd3c532058b6a3ece450b2"
}
