Downloading files on your device still exposes a major security risk and can ultimately lead to an entire system compromise by an attacker. Especially because the security risks are ...
A lot of downloads do not make it easy to verify it’s checksums either to verify the authenticity of the file even if you’re downloading from a source that is credible
If you got the checksum via a different channel or if it’s signed with a key you’ve got from elsewhere. (ideally, or just TOFU) Otherwise you’re still “only” trusting the https connection.
Whoever downloads and runs executables without a second channel for verifying their authenticity is fucked anyways https or not :/
A lot of downloads do not make it easy to verify it’s checksums either to verify the authenticity of the file even if you’re downloading from a source that is credible
deleted by creator
If you got the checksum via a different channel or if it’s signed with a key you’ve got from elsewhere. (ideally, or just TOFU) Otherwise you’re still “only” trusting the https connection.