Five on Nostr: There is no end to this process whether you do it on mobile or laptop or anything ...
There is no end to this process whether you do it on mobile or laptop or anything else. You see, no matter how many verification steps you include at the end of the chain you still have _some_ app or package to trust. There is no root of trust in that sense.
The app verifier step is enough because to really validate Zapstore you need to test how it works when installed, and/or rely on others reporting bugs/exploits here. Remember, anyone could have posted a binary that is signed properly with _some_ key but still be malicious.
If you have the source code, can check crucial parts and build it yourself, that is the most you can do but most will rely on some executable already built and the whole open source community to report bad stuff.
The app verifier step is enough because to really validate Zapstore you need to test how it works when installed, and/or rely on others reporting bugs/exploits here. Remember, anyone could have posted a binary that is signed properly with _some_ key but still be malicious.
If you have the source code, can check crucial parts and build it yourself, that is the most you can do but most will rely on some executable already built and the whole open source community to report bad stuff.