Just pushed a version with lots of changes.
* GnuPG is now supported (tested on Windows and macOS) for signing and verifying (should cover Linux, but I'll have to test that).
* Certificate picker lists available GnuPG certificates.
* Verification on Windows and Mac implemented.
* Signing the Lazarus IDE on rebuilding it is now supported.
* Project-specific codesigning settings allow to override global settings.
* For Microsofts signtool, the URL is now picked from a formatted comment in the main source file.
Thanks Phil for pointing out that framework! I just saw that it already has included header translations in SecTrust.pas. That'll most likely be my next update
Graeme: hashes are way different from cryptographic signatures. For downloads, it can indeed help if download and hash come from different servers (otherwise on a compromised server, the hash could be replaced as well as the download). But on just one computer, any malware could simply update a hash as well. Still, thanks for the insight into FreeBSD/ports