Zero Install is secure by design:

  • Feeds (files describing applications) are signed with GnuPG signatures. This ensures that future updates of applications still come from the same publisher as the original.
  • Downloaded applications are verified with SHA-256 hashes to ensure they have not been damaged or tampered with.
  • The synchronization feature uses client-side AES encryption as well as an HTTPS connection.