Matt (nprofile…5cc2) I don't see an issue with it because they clearly display SHA256.
Let's take Bitwarden latest release for example. This is a sha for the apk from their GitHub repo (copy/paste)
sha256:fc8c8124650665270925648e0ec35bf7336f26058e3bd72eabf41d859727d220
You will see this same sha displayed in zapstore. Makes no huge difference who signs the release if keys match.
invisibull
npub1z6…hcwr3
2026-01-20 19:04:03 UTC
in reply to nevent1q…3dve
Author Public Key
npub1z6cae5kc07sgcr79kxjrrhgklhkwfs5n4w9nzup62ej4p07jtu4qfhcwr3Seen on
wss://nostr.momPublished at
2026-01-20 19:04:03 UTCEvent JSON
{
"id": "96fdafdb4f40e6157b1326863d4f0d3e41ac18d8b4e617c6232d8d8234945187",
"pubkey": "16b1dcd2d87fa08c0fc5b1a431dd16fdece4c293ab8b31703a566550bfd25f2a",
"created_at": 1768935843,
"kind": 1,
"tags": [
[
"alt",
"A short note: nostr:nprofile1qqs0agvxc2jx0rdugdmsfmkjzcyyd698s8j..."
],
[
"e",
"059b60b7bbd97375cc5cecd275abe57dd1c3eb3b8ec0b68b8d780f1859cffcc9",
"wss://nos.lol/",
"root",
"4eb88310d6b4ed95c6d66a395b3d3cf559b85faec8f7691dafd405a92e055d6d"
],
[
"e",
"892ecc320ac9e24562656f30de7a50aa6ddee4441e181264f8d89fdc19f497cf",
"wss://relay.primal.net/",
"",
"16b1dcd2d87fa08c0fc5b1a431dd16fdece4c293ab8b31703a566550bfd25f2a"
],
[
"e",
"7b20f98d784d829bb6529e6fe25789cdfb403af118bcce96ec83253399ed1520",
"wss://nostr.land/",
"reply",
"fea186c2a4678dbc437704eed2160846e8a781e5fb17056e9bb333840d5bdef2"
],
[
"p",
"78ce6faa72264387284e647ba6938995735ec8c7d5c5a65737e55130f026307d",
"wss://nostr.wine/"
],
[
"p",
"4eb88310d6b4ed95c6d66a395b3d3cf559b85faec8f7691dafd405a92e055d6d",
"wss://nostrelites.org/"
],
[
"p",
"16b1dcd2d87fa08c0fc5b1a431dd16fdece4c293ab8b31703a566550bfd25f2a",
"wss://nostr.mom/"
],
[
"p",
"fea186c2a4678dbc437704eed2160846e8a781e5fb17056e9bb333840d5bdef2",
"wss://nostr.land/"
],
[
"p",
"fea186c2a4678dbc437704eed2160846e8a781e5fb17056e9bb333840d5bdef2",
"wss://nostr.land/"
]
],
"content": "nostr:nprofile1qqs0agvxc2jx0rdugdmsfmkjzcyyd698s8jlk9c9d6dmxvuyp4daauspz9mhxue69uhkummnw3ezumrpdejz7qgmwaehxw309a6xsetxdaex2um59ehx7um5wgcjucm0d5hsxx5cc2 I don't see an issue with it because they clearly display SHA256.\n\nLet's take Bitwarden latest release for example. This is a sha for the apk from their GitHub repo (copy/paste)\n\nsha256:fc8c8124650665270925648e0ec35bf7336f26058e3bd72eabf41d859727d220\n\nYou will see this same sha displayed in zapstore. Makes no huge difference who signs the release if keys match.",
"sig": "42720232bfd04ddf0340e9bc3c7e699390e27f67d0c88e907c06afd21ca0087e32e0d8b965fc1b11ae9d172395551f79b3d86631596dd015590d822a3afae848"
}