Hi guys,
There is a recent trend of attacks on servers where an application's original installer is replaced with a malware infested one. Handbrake, CCleaner, Elmedia Player are a few recent examples. Some of these infected-binaries have even succeeded at bypassing Apple's GateKeeper.
With that in mind, I wonder if the devs have considered using GPG to sign there releases. It could help mitigate this issue; at least for the users who verify the signatures after downloading. Additionally, the users who detect invalid signatures in a release could immediately notify the developers, aiding in a quick recovery from a hypothetical attack.
Regards,
Mohak
P.S.: On a side note, I am extremely thankful to all the developers for O3X! You have made my life a hell of a lot easier by porting ZFS to macOS. I can finally use a modern fs and share my drives between my Mac and Linux machines.