I like to use 7zip and right click the file to verify the hash checksum when using windows. Looks like a bunch of coins are getting infected wallets switched in lately. That hash file should be posted in multiple places, as this happened on Linux Mint at some point and the hashes were also compromised on the website.
I agree that hash files should be stored on a separate server, and not on the normal download server (to avoid getting compromised too in case of a hack).
Also I like to point out that Dash also offer both it's binaries and the SHA256SUMS.asc (hash file) on Github .
Link :
https://github.com/dashpay/dash/releases (see assets)
I understand there are also ways to verify hash files themselves, by checking who pgp signed them and compare that with developers that have signature rights.
Maybe someone from Dash Core Group can comment on the above ?
I guess we have to wait and see how Monero's official site got compromised in the first place and then check if our own security measurements are still sufficient.
Good to hear that 7zip also has a hash verification tool inside.