First of all, thank you for a great program. I have donated on at least two occasions.
I seem to recall the download on the website got hacked a while back. At the time there was information about what a user should do to verify the download, but it seems this is now nowhere to be found. The download page gives checksums, but no information about how to verify these nor any information about the digital signature.
1. I realise users can search for how to compute checksums. It seems that in Windows this is not as straightforward as it should be - annoyingly Windows does not include these in the file properties and has no default utility either. Downloading a third-party tool takes some consideration.
2. Perhaps the checksums are not so important as the installer is digitally signed. However, no mention is made that the installer should be signed and who the author and the issuer should be. I don't know how easy it would be for a hacker to get a file signed by an authority recognised in Windows, but even if this is difficult, it would be prudent to make users aware that the real installer is signed. Unfortunately still a lot of software is unsigned and an existing user may not remember if WinSCP is supposed to be signed or might not pay attention.
A notice on the website would make users more aware and in the unfortunate event that the website is hacked again in future, alarm bells are more likely to go off for those returning for an update.
I realise of course if the website is hacked, checksums can be changed and notices can be removed, but at least existing users will realise something is wrong.
Thank you again.