I give it a year at most before they patch it tight. Not for any philanthropic reasons, but purely because responding to that many queries is going to cost them extra server time that’ll be noticed eventually now that word is out and people are going to start hitting the api more often.
A pre-registered checksum will ensure that the downloaded file is what it says it is before running. So yes, it is safe. Unless you’ve found a collision in the checksum algorithm apple is using, although the chances are better that you’ll squeeze water out of dry desert sand.
(Edit: To those thinking they’ll rely on just code signing for this, you’re likely way off base.)