When you install an app on Sandstorm, the server verifies the app author back to their Github, Twitter, etc. identities.
So here's a problem I've had a bunch of times: I'm installing an app from the Play Store. I believe the app is from Google, and as such I'm willing to give it permissions that I wouldn't give to a random developer. However, I can't quite tell from store page whether the app is really from Google. It says that the developer is "Google", but I can't tell what kind of verification has been done on that text. Could just anyone upload an app and write "Google" in the developer field and trick me?
I'm pretty confident that the Play Store actually verifies that field, because it would be pretty terrible if it didn't. But now there's a new question: How does the store know the app was from Google? Or imagine if it's not a big name like Google, but rather an independent developer. Say Audrey Tang submits an app. Does her name appear on the store page? How does Google verify that name? Does she have to send them ID? ID can be forged (plus her ID would be from Taiwan; do the verifiers even know how to verify it?). Or "Audrey Tang" may not be her legal name, but it's what I know her by. Moreover, there could be multiple Audrey Tangs. Do they all get to go by the name "Audrey Tang" on the store?
Maybe the Play Store has answers to these questions, but if I, as a user, don't know what those answers are, I can't blindly trust it. And I don't seem to know what the answers are. They haven't been presented to me. Nothing on the Play Store obviously tells me how identities are verified.
Well, for Sandstorm apps, this is now solved: We use PGP and Keybase to track an app back to the author's uniquely-identifying social identities. Crucially, no one except the author needs to do any manual work to set this up, so it scales nicely to indie developers. I know Audrey Tang's Github account because it's one of the main ways I've interacted with her, so that's actually better
than a "real name" for me.
And crucially, any user new to Sandstorm who doesn't know anything about this can easily learn, starting from the Sandstorm interface, how people are verified. There's a brief description and some links where you can learn more.
BTW, it also works when sideloading (installing apps from sources other than apps.sandstorm.io
Try it: https://demo.sandstorm.io