If an agressor is able to modify the versininfo.xml online he can just delete the
Now he can exchange the update.exe by any bad thing he like and the old version on at the user will execute it without any check.
// check if we have a dsa signature in appcast
if (item.DSASignature == null || item.DSASignature.Length == 0)
sparkle.ReportDiagnosticMessage("No DSA check needed");
bDSAOk = true;