I know that. It's maybe my personal paranoia, but having at least some kind of hash/crc/fingerprint/pk directly on the vendors HP itself is a thing i will always appreciate. Signature verification does more or less always require a third-party (Signature-Authority); look at most of the bigger OpenSource projects (i know yours is not OpenSource) but i guess it would not hurt either. And since your application is about financial transaction, that at least in my view a highly sensitve subject, i would feel better about it.