Every app page on Altapp carries a Trust Report, and every Trust Report starts the same way: we go to the developer's official release channel and download the build ourselves. Not a mirror, not an aggregator — the source.
The binary is then checked in three passes. First, the code signature: is it signed by the developer, and does the certificate chain validate? On macOS we also verify notarization; on Windows, the Authenticode signature.
Second, the checksum. If the developer publishes a SHA-256, we compare it against our download. If they don't, we compute and publish one ourselves, so future downloads can be verified against a known-good value.
Third, the scan. The file goes through a multi-engine malware scan, and the result — including the engine count — is recorded in the report with a date. A report is never evergreen: each check carries a freshness window, and expired checks are re-run before the page shows them as current.