Good question. The only part of the notification that may not be easily understood is the "Hash Mismatch" portion. The rest is plain.
I don't think the problem is primarily a lack of understanding the meaning of the warning. I think the issue is that users are assuming the Zapstore is wrong in presenting the warning at all. That the file certainly isn't malicious, and there must be a bug in the Zapstore.
It's a sort of normalcy bias. Apps generally install fine. They've never experienced installing an app that was actually not what the dev released, but was a malicious app put in its place. So they assume it couldn't actually be what has occurred.
What's more, they're probably correct that it isn't a malicious app. It's probably just that the dev made a change after signing and didn't update the signature on the Zapstore. However, the correct course of action is not to assume that's the case and install the app anyway directly from GitHub... The correct thing to do is reach out to the dev and alert them to the fact that there is a hash mismatch, so the dev can diagnose why.
Perhaps the alert should suggest this course of action.
Dikaios1517
npub1ku…v3lhe
2025-05-29 16:05:47
in reply to nevent1q…jw8y
Author Public Key
npub1kun5628raxpm7usdkj62z2337hr77f3ryrg9cf0vjpyf4jvk9r9smv3lhePublished at
2025-05-29 16:05:47Event JSON
{
"id": "3877a903946475e4fd918a9ae5d8f8c262d23078728c4b462f4dc4d9063a1df1",
"pubkey": "b7274d28e3e983bf720db4b4a12a31f5c7ef262320d05c25ec90489ac99628cb",
"created_at": 1748534747,
"kind": 1,
"tags": [
[
"e",
"f6404be96e3ad7f8c70fe379eb6bb43ecc316b0c0ab36ab5140e23669affe3cc",
"",
"root"
],
[
"p",
"a8d1560d6a647d501699167246f237b36fb123f89168fda11dc743533fec7a08"
],
[
"p",
"a8d1560d6a647d501699167246f237b36fb123f89168fda11dc743533fec7a08"
],
[
"p",
"78ce6faa72264387284e647ba6938995735ec8c7d5c5a65737e55130f026307d"
],
[
"p",
"17538dc2a62769d09443f18c37cbe358fab5bbf981173542aa7c5ff171ed77c4"
]
],
"content": "Good question. The only part of the notification that may not be easily understood is the \"Hash Mismatch\" portion. The rest is plain.\n\nI don't think the problem is primarily a lack of understanding the meaning of the warning. I think the issue is that users are assuming the Zapstore is wrong in presenting the warning at all. That the file certainly isn't malicious, and there must be a bug in the Zapstore.\n\nIt's a sort of normalcy bias. Apps generally install fine. They've never experienced installing an app that was actually not what the dev released, but was a malicious app put in its place. So they assume it couldn't actually be what has occurred.\n\nWhat's more, they're probably correct that it isn't a malicious app. It's probably just that the dev made a change after signing and didn't update the signature on the Zapstore. However, the correct course of action is not to assume that's the case and install the app anyway directly from GitHub... The correct thing to do is reach out to the dev and alert them to the fact that there is a hash mismatch, so the dev can diagnose why.\n\nPerhaps the alert should suggest this course of action.",
"sig": "1a659cbeb232f0a53e10e8818e1c50f496a78fe004aa561ea8a30c4cea457b7406c714bd7c390d0ccf3ca8b20211725bcbe6fa2e5028e3ba90acd49f1a5ab755"
}