Answer 1 Copied and pasted from http://productforums.google.com/forum/#!topic/chrome/r-9JQIboUmc

I was able to get around it without a code signing certificate, just by using SSL (which uses a less expensive certificate, and I already had one to secure access to my website), but as your experience shows it seems SSL isn’t the only way…

Based on my experience and what I’ve read of others here, my theory of how Chrome validates downloads is that it goes through a checklist like this:

1. Is the host site known and trusted? (i.e. large established sites are OK)
2. Can the identity of the host site be verified? (i.e. via SSL certificate)
3. Can the the identity of the file’s publisher be verified? (i.e. via code signing certificate)
4. Is the file known and trusted? (I had a file up for a while that was unsigned and accessed without SSL – Chrome was fine with it until I changed the binary after the security update… I’m assuming it takes some time to reach this status.)

If one of these criteria passes, the download is not flagged as malware, and if they all fail, it is.

Answer 2: Copied from http://blog.chromium.org/2012/01/all-about-safe-browsing.html

Malicious downloads are especially tricky to detect since they’re often posted on rapidly changing URLs and are even “re-packed” to fool anti-virus programs. Chrome helps counter this behavior by checking executable downloads against a list of known good files and publishers. If a file isn’t from a known source, Chrome sends the URL and IP of the host and other meta data, such as the file’s hash and binary size, to Google. The file is automatically classified using machine learning analysis and the reputation and trustworthiness of files previously seen from the same publisher and website. Google then sends the results back to Chrome, which warns you if you’re at risk.