I like to use 7zip and right click the file to verify the hash checksum when using windows. Looks like a bunch of coins are getting infected wallets switched in lately. That hash file should be posted in multiple places, as this happened on Linux Mint at some point and the hashes were also compromised on the website.
I agree that hash files should be stored on a separate server, and not on the normal download server (to avoid getting compromised too in case of a hack).
Also I like to point out that Dash also offer both it's binaries and the SHA256SUMS.asc (hash file) on Github .
Link :
https://github.com/dashpay/dash/releases (see assets)
I understand there are also ways to verify hash files themselves, by checking who pgp signed them and compare that with developers that have signature rights.
Maybe someone from Dash Core Group can comment on the above ?
I guess we have to wait and see how Monero's official site got compromised in the first place and then check if our own security measurements are still sufficient.
Good to hear that 7zip also has a hash verification tool inside.
Each binary file has a corresponding signature (.asc) file, SHA256SUMS.asc is a signed list of hashes for all files. Corresponding dev keys to check these signatures can be found on github (the easiest way to verify keys - check the modification/commit date to make sure they were not altered recently) and on keybase. Keys on both resources should match (it's highly unlikely that they would be compromised in both places).