I don't think there's a way to verify a package other than trusting the ...

2024-07-03 02:30:44

I don't think there's a way to verify a package other than trusting the builder/signer. That's what reproducible builds are for.

Artifact hashes: yes, NIP-94

PGP: we're adding it to kind 0s! Currently building a tool developers will use with the ability to attach their PGP keys or certs. See

quoting
nevent1q…xqs8

Dear friends, part of getting developers signing their apps on nostr is giving them the ability to link their other cryptographic identities (for instance, their Android keystore) to nostr.

For this I have submitted a PR to the NIP repo, to enhance NIP-39 with cryptographic identities. (It's been in stand-by for months.)

We will probably start using it regardless but if you have any input, please chime in. Or make some noise there so we can get it merged 🙏

https://github.com/nostr-protocol/nips/pull/1335

Author Public Key

npub1wf4pufsucer5va8g9p0rj5dnhvfeh6d8w0g6eayaep5dhps6rsgs43dgh9

Seen on

wss://nostr.stubby.dev wss://nos.lol wss://relay.noswhere.com wss://relay.damus.io

Show more details

franzap on Nostr: I don't think there's a way to verify a package other than trusting the ...