Basically what it says in the title.
This first one is especially important as it allows anyone on the network or at the ISP to manipulate the data that is sent to inject malware.
The second one is important as well, it allows additional verification that the files are legitimate and even allows users in enterprise environments to whitelist VorpX based on signature. It could also calm the antimalware softwares down a bit on new releases.
An alternative to this would be to publish the checksums for the installers (Not just the downloader) on something like GitHub and publish links to the installers directly.
I compared the SHA256 checksums of a downloader I recently got to one I got a while ago and recently found in an old backup, they were exactly the same and creation date was set to sometime in 2013 so it doesn’t seem like they are individually crafted.