Zero Install is secure by design:
- Feeds (files describing applications) are signed with GnuPG signatures. This ensures that future updates of applications still come from the same publisher as the original.
- Downloaded applications are verified with SHA-256 hashes to ensure they have not been damaged or tampered with.
- The synchronization feature uses client-side AES encryption as well as an HTTPS connection.