One of the most powerful things that could be imagined on a *nix machine -
Drop a shell script (and supporting files) in user storage - run it as 'root'
Also opens the door to malicious scripting targeted at the end-user who can not (or will not) read them before running them.
OK - I really, really hate to rain on this mornings parade, but . . . .
Let us adopt the habit of having the author always provide a detached signature file that can be checked for authentic with a pgp or gpg public key.
All host OSs support that checking (with either the pgp or gpg applications) - so signature checking can be off-kindle ;
Each provider of an archive can use their own key pair ;
Each provider can post their public key of the pair in a trusted location - here or on a public gpg key server ;
Adopting this sort of policy should be welcomed by the providers of archive packages - it minimizes the liability of "Your application published all my personal data" - - -
If that installed application archive **was not** signed by the author who published it - then s/he didn't do it - sue someone else.
Adopting this sort of policy should be welcomed by the end-users of these archive packages - it gives assurance that they are using an **authentic** copy of the author's archive.
Yes, of course, humans have a tendency to not download and test the signature against the archive -
That only means they have chosen not to protect themselves, their device and their personal information **PRIOR** to running the archived application.
Their loss, their fault, none of us did it to you. Go sue someone else.
Here is a worked example -
My mirrors.minimodding.com domain publishes **copies** of other peoples archives.
You will find a signature file for every archive posted.
In the side-bar you can find two (2) independent sources of the public key needed to check that the archives are authentic. (Which also does a checksum test for corrupted downloads.)
For Linux (any *nix) and probably for MacOSx also, it is just a matter of the user downloading both the archive and the signature - -
Then in their file manager, clicking on "check signature" for the archive.
At which point (if it passes) they know they have a true copy of whatever I posted.
Simple - only adds a couple of clicks to the entire process of installing a new application for the launcher.
For the author - nearly as simple - in your file manager just click the file and pick "sign" then pick the key you are using for this purpose.
MacOSx:
https://www.gpgtools.org/
WinBoxen:
http://gpg4win.org/
Linux:
Pre-installed by most distributions, and available in your distribution repo if not.