ThomasV, could you, please, write here in sticky thread MD5 / SHA-1 / signature of real Electrum 3.3.3 ?
You can already verify the sig. If you still don't trust it, you can build it from scratch as explained on the GitHub page. I'm not sure if Thomas would reply because he already gave his GPG fingerprint.