// the find
kurikomi-labs/komi-store
🩵 A free, open-source app store for developers' releases on GitHub, Codeberg & Forgejo — browse, discover, and install apps with one click. Formerly GitHub Store.
Komi Store is a cross-platform app store (Android, Windows, macOS, Linux) built with Kotlin Multiplatform + Compose Multiplatform that surfaces GitHub/Codeberg/Forgejo releases with actual installable binaries. It handles discovery, download, and update tracking for open-source apps that ship binaries but aren't in any official store. Aimed at power users who live outside Google Play and the Mac App Store.
1. The Android security model is genuinely well-considered: signing fingerprint verification blocks auto-updates if the APK key changes mid-flight, which is the actual attack vector on GitHub releases. Most similar tools ignore this entirely.
2. Asset filter regex and variant pinning solve a real problem — publishers routinely rename release assets between versions and break naive 'download latest' automation. Per-app regex is the right abstraction.
3. The download mirror system races multiple sources and verifies SHA-256 against GitHub's published digests rather than trusting the download blindly. Not glamorous, but correct.
4. The build-logic convention plugin structure (KmpLibraryConventionPlugin, CmpFeatureConventionPlugin, etc.) shows someone actually thought about the multi-module build rather than copy-pasting Gradle boilerplate into 20 modules.
1. The curated discovery index lives entirely on api.github-store.org, a backend controlled by one developer. If that goes down or the maintainer loses interest, the app degrades to raw GitHub Search with no curation. The README says it's open-source and self-hostable but buries this — most users will never self-host.
2. Silent install via Shizuku/Dhizuku combined with auto-update means a compromised release on any tracked repo flows to users without a prompt. The signing fingerprint check only catches key rotation after the first install — it doesn't protect against a publisher whose account gets hijacked from day one. This is a meaningful risk surface they haven't documented beyond a legal disclaimer.
3. macOS is genuinely second-class: not notarized, requires running xattr manually after install, and Gatekeeper marks it 'damaged' without the workaround. Fine for developers who know what xattr is, but it undermines the 'one-click install' pitch on the platform where that friction matters most.
4. Room schema is at version 18 with no visible migration tests in the tree. Eighteen migrations means eighteen opportunities for data loss on upgrade, and KMP Room support is still relatively new — the combination of frequent schema churn and limited ecosystem tooling for migration testing is a real adoption risk.