I normally work on larger projects (BrowserBox, dn), and now believe in new release methods which is why the source is closed.
Your radar was okay: site is machine-generated by build workflow which pushes the binaries. The "Verified" label reflects internal CI attestation, but without public hashes? Might cause concern. Did not consider, tho based on your comment I've now replaced with "Digitally Signed and Notarized".
So reflects more accurately how the binaries are always digitally signed and notarized (Apple Developer ID + Microsoft Authenticode) with our company certs. SOP for my releases. The verification is the cryptographic signature checked by your OS kernel, not just a text file.
Signing, notarization, and hash checking just ensures that what I run is the thing that you meant for me to run. Source availability permits me to ensure that what I run is the thing that I meant to run.
Your radar was okay: site is machine-generated by build workflow which pushes the binaries. The "Verified" label reflects internal CI attestation, but without public hashes? Might cause concern. Did not consider, tho based on your comment I've now replaced with "Digitally Signed and Notarized".
So reflects more accurately how the binaries are always digitally signed and notarized (Apple Developer ID + Microsoft Authenticode) with our company certs. SOP for my releases. The verification is the cryptographic signature checked by your OS kernel, not just a text file.
I actually like this presentation better now!