This is a misconception and conflation of concepts, but it's my fault for not explaining better (although it has been addressed in the latest Zapstore). Define signing? Indexed apps on Zapstore are simply caching what is on Github -for discoverability which is nil in Obtainium- and signing a Nostr event with that. They are NOT signing the APK. So in this sense it has the exact same level of risk than Obtainium. I would say less, because on Zapstore you can tell what you are about to install, in Obtainium it's not that clear because of lacking metadata. By default Zapstore will install from the external/original source, and only fall back if it 404'd: