=== Task ===
Check integrity and authenticity of the downloaded source archive.
=== Description ===
You could create a hash (e.g. sha256) of the archive and place it in a file available for download with the archive.
Then this file containing a hash has to be signed with a trusted GPG key (for example, anything PKI is good), making the public key widely available.
That way one could verify the integrity of the file and authenticity of the file.