Thank you for clarifying! That's basically how my files looked. This is probably a stupid question, but when you say downloading the installer from WinGet - is that the same thing as installing the update from within the Rainmeter application when prompted? Was that safe to do if my ISP wasn't hacked like the article described?The way it works is that the "installer" .exe program is signed by SignPath Foundation. That is the application you download from the website and requires the most serious level of certification. The .exe and .dll files inside the installer, the ones that are actually installed on your computer, are self-signed by us, as they can be trusted since they came inside the very secure installer container. When Rainmeter is auto-updated by the application itself, you don't really see the "installer", but it is indeed used to deliver the application and install it. The SHA hash of the installer is checked before it is executed by the auto-update process.
So the long and the short of it is that yes, what you are seeing is correct.
The installer:
1.jpg
The internal program files:
2.jpg
The goal intended by "signing" the installer is to allow it to be safely downloaded. Hopefully and presumably from our website or WinGet, but really from anywhere. It allows the installer to be "trusted" by Microsoft Windows, which will require this trust in order to download and run without lots of barking and snarling. The internal application .exe and .dll files are not going to be downloaded, and don't require having to jump through these hoops. The self-signed certificate has the same effect of tying the files to our organization in a trusted way, just not using an external certificate issuing entity that is "trusted" by Microsoft.
Statistics: Posted by meloncake — Today, 5:17 am