The code is code signed by us and Microsoft. So any machine that has secure boot in UEFI BIOS won't run the executable if it is corrupted or tampered with.

TCP/IP also has checksums on the data transmission and so do the lower level transmission layers like ethernet's CRC. So the possibility of undetected data corruption during transmission are very low. Also GZIP uses a CRC-32 checksum, and the file won't unzip if it is corrupt.

The process of writing the file to USB has a verify option in it, which is on by default. So corruption should also be low here. And SHA (on the tar file) isn't going to detect this anyway.

So this is already 5 layers of protection.

Which leave you with the possibility of data corruption via malware on your machine, or us distributing bad software in the first place. But if we are distributing bad software, then the SHA hashes we supply will still match.

SHA1 is sufficient for the purposes of detecting file corruption. SHA-256/512 isn't required.

So listing SHA values has very little value. But there they are anyway

Thanks.

My main concern was an automated MITM attack as files are downloaded over plain HTTP and UEFI does not have secure boot configured.

Maybe there was a MITM attack,and they altered this page as well, displaying different hash values just for you?

An automated MITM attack that would serve a rouge copy to anybody using a compromised network is pretty easy to do over plain http. Discovering that I'm asking for hashes in a forum and displaying different values for me would require human interaction in an attack specific on me, which is extremely unlikely. But yes, it's not optimal and the right thing to do would be publishing PGP signed SHA256 or SHA512 checksums like many projects do. SHA-1 was broken in February and it's now possible to generate a hash collision, but at this point it would cost around $130,000 so it's good enough for verifying my copy.

An automated search and replace for a hash string is trivially easy compared to generating a SHA-1 hash collision.

Also you can check the Microsoft code signing without having UEFI secure boot turned on. Via right click on the executable file. Like this,