The Bitcoin client is downloaded from a non-HTTPS server, so you cannot verify that it is legit, and the installer exe is not digitally signed. How often does that result in a Trojan client, and why is it done in this way?
I understand that you should check the pgp signature of the file, but if you do not have https, then how do you know the pgp signature is not just as bogus as the file itself? Don't we need https too?
github also doesn't support https downloads. though the download 'area' is https, the actual files are pulled from http://cloud.github.com
you really are barking up the wrong tree with the https bit, since all https is telling you is that the server you're talking with is who it claims it is. if server is compromised, it will serve you a trojaned file just as happily as any other file.
what you really want to do is verify the pgp signature of the file (or of a file containing a hash of the released file), made by the developer making the release. you can do this regardless of where you download the files - both github and sourceforge contain the gpg-signed sha1sums file that you can verify the signature of to ensure file integrity and authenticity. the only way that could be compromised if the developer's machine itself was compromised.Tweet