No hacked, but Robert Lancaster uploaded a new DMG he built on his machine to test if the reported bugs were fixed. Once all sorted out, we'll upload the KDE Binary generated version.

thanks for the explanation

So I have been building KStars DMGs and releases on my machine since 2016 or so and every release was built and released that way.  It was only a very short time (~ 1 month or so) that we have been using the KDE binary built version because my script broke.  I only finally managed to get my craft recipes on the kde binary server so that we could have nightly versions and releases built there in January of 2022.  But I am still building official releases on my machine.  I just recently fixed my script and uploaded the new version.  I wouldn't say that there was a "trusted" version until now and it suddenly was replaced with a "hacked" one.  We were only using that "trusted" version for a very short time as a stopgap measure until we fixed some issues.  There are still several other things that I have in the dmg that are not properly duplicated in the craft kde binary server built version and I would not like to switch to them as the official version of releases until I can get craft to do those things properly.

Also my dmgs have not been code signed because I have not spent my own money to get a developer certificate.  Is it possible for me to build on my own machine with the KDE developer certificate or must that be done from the KDE binary server only?

while the issue was fixed in 3.6.2, version 3.6.3 is again unsigned

Should be resolved now.

while 3.6.8 was fine, 3.6.9 is once again completely unsigned (ad-hoc signature).