Except that all supposedly legitimate MAS installers have digests that when searched point to suspect looking chinese domains. Plus there MD5 and sha-1 which is reasonably easy to mess with (from what I read). I read it's not that hard to produce specific MD5 digests now. While I am no expert, that and the fact that the ONLY installers are found on weird chinese sites makes me apprehensive cuthead. That and APT25.
I mean it's not so seemingly hard to produce two files with collision (2 same digests on purpose, or "hashes" as people call them.)
it is easy to collision small digest,but it is hard to collision big digest.for example,you can only use 10.12.3 magnet to download 10.12.3,but not 10.7.5.MD5 and SHA-1 are deprecated and dead,collision MD5 and SHA-1 means nothing,and it is still hard to collision MD5 and SHA-1 because you need 1B computer to do it.
By the way,I do not use digest to compare file,I use binary to compare file.I use md5sum just for fun.
mas 10.12.3 and bit torrent 10.12.3 are the 1:1 same thing except Install macOS Sierra.app/Contents/_MASReceipt because bit torrent 10.12.3 also come from mas by another apple user.If you have Apple ID receipt in Install macOS Sierra.app.and you have Apple brand hardware,Apple can not arrest you.