it was pulled because the binaries were self-signed for a short period, not because they knew something

who signed the binaries was irrelevant for this attack, because the issue was not checking any signature