Yes, you are right, there is no signature verification. But there is some sort of verification, at least of whether or not chain booting suceeded: if there is crap in the SBL partition, the PBL will make the device enter into EDL mode.
And now that you mention it: the PBL is not veryfying the signature of the programmer we used to reflash the images, so we could do it. Does that really mean that it also does not verify the signature of the SBL?
In androidfilehost, once you finish downloading a file, you get a message:
Don’t forget to share the love with your developers, without whom this download wouldn’t be here. Contact them to say thanks or send a donation their way.
It suggests it could be possible for you to indicate some contact/donate information also there.