In addition to the sha256 hashes that are already created for release packages, we should also create a signature for each file that has been signed with a private key. Using the published verification key, it will then be possible to confirm not only that the package hasn't been modified after creating the hash but also that neither the package nor the hash have been altered.