Files available from: https://krita.org/en/download/krita-desktop/ and named: krita-3.2.0-x86-setup.exe krita-3.2.0-x64-setup.exe are signed only with the SHA1 certificate belonging to Open Source Developer, Boudewijn Rempt. Wikipedia claims that since 2010 "many organizations have recommended its replacement by SHA-2 or SHA-3" [https://en.wikipedia.org/wiki/SHA-1] Most importantly, in February 2017 Google announced "the first practical technique for generating a collision" against SHA-1 [https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html] It's tough enough that krita.exe has no digital signature to depend upon.
Sorry, but this really isn't a bug. Together with KDE e.V. we're working to get a new certificate, but, basicallty, all this signing stuff is nonsense. I'm making these binary builds, and by gum, I wish someone else would spend their precious minutes on this earth on them.