Your crazy thoughts are possible, there are several ways to lure users to prompt in fake web page as well as the malware injected in the hackers URL.
Your only to trust is to verify the file you have downloaded.
To verify your blockstream downloads either ios/android/desktop, follow these steps.
- If you're using windows, go to terminal (CMD) and paste this command below which can be shown in this blockstream page
[1]gpg --keyserver keyserver.ubuntu.com --recv-keys "04BE BF2E 35A2 AF2F FDF1 FA5D E7F0 54AA 2E76 E792"
- Open Kleopatra (gpgwin), check all the certificates you can see "GreenAddress Team
info@greenaddress.it". You can see that Key ID is the same on blockstream page
[1], right click and "Certify".
- Download the file you want from this page
[1] either ios/android/desktop make sure you are in correct repository "
https://github.com/Blockstream"
- On there current release say for android app
[2], there's .asc file, SHA256SUMS.asc download it together with the app
- Open Kleopatra, "Decrypt/Verify" and choose the " SHA256SUMS.asc" signature, a success message will show about the signature is valid like this
SHA256SUMS.asc → SHA256SUMS: Show audit log
Valid signature by
info@greenaddress.itSignature created on {datetime}
With certificate:
GreenAddress Team <
info@greenaddress.it> (E7F0 54AA 2E76 E792)
The signature is valid and the certificate's validity is fully trusted.
[1]
https://help.blockstream.com/hc/en-us/articles/900002174043-How-do-I-verify-the-Blockstream-Green-binaries[2]
https://github.com/Blockstream/green_android/releases/tag/release_4.0.33