In case you didn't see this yet,

http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-imposter.html

If you're using PGP to verify Bitcoin downloads, it's very important that you check you are using the right key. Someone seems to be creating fake PGP keys that are used to sign popular pieces of crypto software, probably to make a MITM attack (e.g. from an intelligence agency) seem more legitimate.

I think the Mac DMG's of Core are signed for Gatekeeper, but do we codesign the Windows binaries? If not it'd be a good idea, if only because AV scanners learn key reputations to reduce false positives. Of course this is not a panacea, and Linux unfortunately does not support X.509 code signing, but having extra signing can't really hurt.