Do untagged files (like downloaded via curl) not require signing at all, or it's just lenient enough to not trigger the bugs/issues mentioned in the article (since their app is actually signed, after all)?