Download authenticity message has no actionability

[jipmoors]

Problem

While testing some upgrades of themes I noticed the following message:

The authenticity of twentynineteen.1.4.zip could not be verified as no signature was found.

As a user I have no idea what this means and more importantly, what I can do about it.

Proposed solution

Add more context about what it means, why it is a not a blocker (soft-fail) when this is the case.
This could be a page on WordPress.org or explained in-line.

Provide a context on where this should be solved, locally/server/WordPress.org

Expectations

I would have expected the theme update to be verified as it is downloaded from WordPress.org directly.

[SergeyBiryukov]

Related: #39309

[afercia]

Discussed during today's accessibility bug-scrub. Pinging @pento as the Upgrade/Install component maintainer.

Also relevant:
​https://wordpress.org/support/topic/5-2-1-update-authenticity-of-update-could-not-be-verified/

Copy could be improved here. The part The authenticity of twentynineteen.1.4.zip could not be verified is already a bit hard to get for non-tech-savvy users. Then, when it comes to signature, it's probably a bit too much technical :)

Pinging also @marybaum

[SergeyBiryukov]

#51428 was marked as a duplicate.

[SergeyBiryukov]

#47343 was marked as a duplicate.

[SergeyBiryukov]

#51672 was marked as a duplicate.

[bridgetwillard]

Happy to write copy, y'all. I'll need a bit more information.

What does it mean that the file wasn't verified?
What is the signature?
What is the solution?

Thanks.

[s0what]

Is this fixed now? Because I got this message when upgrading to 5.7
If this is not fixed, please remove the message!

[SergeyBiryukov]

#54495 was marked as a duplicate.

[rajinsharwar]

#58937 was marked as a duplicate.

[rajinsharwar]

My suggestion would be to add a message like "You can safely ignore" to the message until the feature is redesigned, or just completely remove until it's fully ready.