"To be safe, always check the digital signature of EXEs you downloaded, before you run them. The official Classic Shell installer has a signature for "Ivaylo Beltchev", and the fake one doesn't even have a signature."
And per another user (silmar), my sentiments:
"The problem with signed installers is: many software developers don't sign, so you install even if Windows warns you. Even if someone signs and then stops signing, it may be that he forgot about it. But you want to install NOW, so you skip the warning."
Admittedly the download page doesn't mention signing or how to look for that, though, per the comment I referenced above, I doubt it would make much difference to the vast majority of users.
I doubt it as well, and I completely agree with what you and others have said. While I rarely use Windows, it's unsurprising to see software from smaller development shops release software with no signature (or at least historically it's been unsurprising). So, this complacency sort of breeds the habit of simply clicking through and installing anyway. Heck, I even remember when installing certain drivers often required clicking through similar warnings since they occasionally weren't signed.
While I'd like to think things are generally better now, I think the historical inertia of Windows' ecosystem and how conditioned users have become to ignoring such warnings is at least partially (mostly?) at fault. There's no easy way to correct people's behavior, and enforcing certain settings (e.g. only installing signed software) would mean either 1) upsetting power users or 2) users still finding a way to disable such checks.
I was just suggesting it would be easier to have people check for the displayed signature than get them to hash their download and compare it to something on the website.
"To be safe, always check the digital signature of EXEs you downloaded, before you run them. The official Classic Shell installer has a signature for "Ivaylo Beltchev", and the fake one doesn't even have a signature."
And per another user (silmar), my sentiments:
"The problem with signed installers is: many software developers don't sign, so you install even if Windows warns you. Even if someone signs and then stops signing, it may be that he forgot about it. But you want to install NOW, so you skip the warning."
Admittedly the download page doesn't mention signing or how to look for that, though, per the comment I referenced above, I doubt it would make much difference to the vast majority of users.