I though this through some more: IF they are validating the updater themselves - it is signed - and the verification key is in the (signed) main program it COULD be just about as secure as as a code-signing-cert-signed executable checked by the OS as long as they implemented it a correctly.
But if the main program doesn’t validate, and the warning is because the OS signature check doesn’t trust the cert, an attacker can intercept the flow and present the OS with an arbitrary binary with signature validated by the attacker’s cert. Malware would need to be installed and running in order to hook into the program flow - not a trivial undertaking but still.
If they used a trusted code signing cert all this noise would go away - which the right thing to do.
Another problem is that triggering a warning message and expecting the user to ignore it is a security anti-pattern that promotes bad user behavior.
It would be nice if the team would respond! Meantime I’m betting on their implementation being “good enough” because an attack would be a fair amount of effort if my suppositions are correct.
Intuit, you can hire me as a security architect if you like.
