Is the source available? What is presented is a machine-generated website with very little meaningful information and mystery binaries for three platforms.
PS: The "SHA256 CHECKSUMS VERIFIED." is static. No hash check is performed, and as far as I can see the website doesn't have a list of hashes to check.
I normally work on larger projects (BrowserBox, dn), and now believe in new release methods which is why the source is closed.
Your radar was okay: site is machine-generated by build workflow which pushes the binaries. The "Verified" label reflects internal CI attestation, but without public hashes? Might cause concern. Did not consider, tho based on your comment I've now replaced with "Digitally Signed and Notarized".
So reflects more accurately how the binaries are always digitally signed and notarized (Apple Developer ID + Microsoft Authenticode) with our company certs. SOP for my releases. The verification is the cryptographic signature checked by your OS kernel, not just a text file.
Signing, notarization, and hash checking just ensures that what I run is the thing that you meant for me to run. Source availability permits me to ensure that what I run is the thing that I meant to run.
> Only messages matching your Secret Key will ring.
I assume that's the "Secret Key" is placed in this prefix tag, '[SECRET::]' ?
Since plain-text over UDP is not very secret, I'm now motivated to look into how Wireguard is able to use PKI to only accept packets from a trusted clients. And, how that protocol could be used to generate the Secrey Key.
PS: The "SHA256 CHECKSUMS VERIFIED." is static. No hash check is performed, and as far as I can see the website doesn't have a list of hashes to check.