zvin: “I don’t think macOS would run unsigned binaries anyway.” I don’t think so, either, but I don’t know how the signing works. If a person is phished to another site in which the binary is signed, but not by balena-Etcher, would it still run? One common way of injecting adware/malware onto a system is to encapsulate a good product with malware; would the encapsulator signature then be installable because it’s signed? I don’t know the answers to these things.
I do know that I have a reasonable amount of open source software on my machine, including KeePass variants, OpenVPN, nmap, gpgTools, Ubuntu, Mint among them, and all of them provide PK signature verification, as well as artifact checksums validation. I hope balena-Etcher does so in the future.
Thanks.