The SIGNATURE is basically only used to verify there are no transmit errors. Using it for any form of verification or accountability only gives one a false sense of security, which is worse than no sense of security, IMO.

That argument gets tossed around a lot and it's simply not true. The SIGNATURE file is used to ensure that the person who uploaded a file is one whom you trust. PGP is not MD5.