Those warnings basically say
"Hey dude, Gavin says this file here is his public key but no trusted Certificate Authority is backing up the validity of this claim.
Tell Gavin to pony up some big bucks and make Verisign, Thawte, Comodo, Equifax, Hongkong Post, TurkTrust(1), or DigiNotar(2) happy."If a hacker were able to breach bitcoin.org's server and replace Gavin's public key and they were then able to breach the SourceForge repositories and replace the files with malicious ones, anyone validating the bad executables with the bad public key could be cheated into thinking that everything is fine.
In short, if a hacker gets full control over everything, we're screwed - film at 11.
For the record, the fingerprint of Gavin's public key is indeed
2664 6D99 CBAE C9B8 1982 EF60 29D9 EE6B 1FC7 30C1Notes
(1) You may not have known but your system trusts hundreds of entities. From its POV Hongkong Post is just as trustworthy as Verisign. Better believe someone in Hongkong did their due dilligence when signing those SSL certificates.
(2) I put DigiNotar in as a joke; this CA fell victim to a hacker attack last year. As a result, they went keel up and sank.
The SSL certificates the hackers were able to generate were inherently trusted by any machine in the world. So much for
trusted CAs.
You better believe TurkTrust and Hongkong Post really know what they are doing
There have been several
initiatives to mitigate the flaws in the current trusted CA model.