From what I understand, that error just means they didn't sign their code with a "Microsoft™ approved™™" code signing certificate I generally ignore it and assume it's just a racket, i.e. a way for Microsoft to get more money out of developers than they would if the developers bought a certificate from someone else.
I normally just check for a checksum on the website I'm downloading from, and compare checksums with other people.
... On that note, since no checksum is provided on the site, could someone else (*rimshot*) provide a checksum, ideally SHA-256, of the 3.18.6 installer's zip file? Would make me feel better about it, just in case :-)