All the hashes prove is whether the plaintext has been altered. If the message and the hash have been compromised, you are out of luck. If you are comparing hashes from your nearby mirror with hashes from the central distribution site, you have done all you can. You must trust that the central site has not been compromised, or is not otherwise being managed by bad actors.
The addition of a signature framework from the central site merely adds one form of authentication. It does not assure you of anything else.
|