> Anyway, the only way to solve these issues in the long-term is with relying more on signed software, similar to how Linux repos work already today.

It seemed as though Windows was warning the users that the software was unsigned; they just clicked through it. That's a different problem -- it's entirely possible to have a signing system, but if enough developers hate and refuse to use it, then users will quickly become conditioned to click through the warnings.

I'll be honest: if there was an app that I wanted to install, and I got an unsigned-package warning, my first thought on both Mac and Windows would be that the developer probably had an ethical or financial problem with the signing scheme, not that the package was compromised. On Linux, I'd be more confident and probably stop what I was doing, but only because very little software makes it onto distribution systems if the developer has an issue with the platform...

I usually check the hashes of all software I download. How do I check the hash if the vendor doesn't publish it, you might ask? Simple, calculate it and Google it. If you find what look like legitimate hits associating this file with this hash, call it good.

And it does work in this case - try googling both the published good and bad hash :)

In this case a distribution site which hosts both the hash and the file was hacked. This test is only good for "is the integrity of the download good" not for "is this created by the original developer". An authenticode or PGP signature is much better.

It is good if the compromise is not large-scale or is recent (e.g. only one of the mirrors was compromised, or the compromise is recent enough that search engines and such don't know much about the hacked version).

It helps that signing packages for Linux distributions costs $0, since they all use GPG. I actively avoid adding repositories that aren't signed with GPG keys for this reason, though it still doesn't protect me from compromised keypairs.