Most if not all distributions of Linux (and other software thingies) publish checksums (MD5, SHA) for individual packages and other things for the sole purpose of avoiding injections of mallicious software in their distribution. The chain of trust, of course, heavily relies on how the checksums are published (on web-pages), which inevitably turns to HTTPS and the idea of website certification. Yes, these things are mostly unspoken and ignore by downloaders -- including the guy typing this message.