There have been quite a few people comment about the download being flagged as a virus on the Discord.
Reasonable paranoia aside, I think this is pretty safe.
For what it's worth the SHA of 1.12.0 I downloaded a few days ago matches the one in your post.
Unfortunately I'm away from my normal computer so I can't check the files I originally downloaded.
We should certainly not disregard the possibility that someone actually managed to get into the forum database and add something spicy to the aurora executable sometime after Steve uploaded it. I too am in favor of an MD5 (well, strictly if we want to be secure we should use something other than MD5 since thats been cracked, so a careful hacker could cover their tracks fairly easily compared to a SHA hash or something).
The file is stored completely separate from the forum software and files.
The storage location doesn't affect any modifications made to the file during transit, and only protects the file vs the post to the extent that different passwords are (or should be) needed to affect both areas, although I'd guess there is an admin account somewhere that can affect the whole shabang.
Speaking of passwords are any of them aurora123?
On a more serious note have you considered adding TLS/SSL for the forums?
That would ensure that communication between the browser and the server is secure and that messages between them cannot be tampered with during transit.
The file path for the 1.12 patch is also on pentarch.org so I think it would also add security during file downloads.
The other thing which could be done is Steve could submit the file to microsoft and ask them to stop treating it as a false positive.
The relevant page is here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/submission-guideObviously that's a bunch of work for him and I don't know how quickly they'll sort it out. It also might need to be done for every new release.