Hash comparisons would be great! As an extra reach adding GPG signatures support would be so convenient. Grab the key from the keyservers, report good / bad and signature details along with key fingerprints and details of the signer. Automatic .asc / .sig appending to the download URL detection or allow the user to provide such a file for existing downloads.