I was wondering if the person building the binaries could put those (md5 and sha1 sums) both on a page that is gpg signed? Then as I get to know the person building the binaries and if the key changes I can be suspicious of someone putting up another binary.