Given the security-critical nature of this project, I think it would be preferable to have GPG-signed hashes available alongside source releases. Right now (AFAICT) this project is hinging completely on Github/HTTPS trust model when retrieving this repo for build and use.

Obviously the hashes and signatures GPG IDs would have to be posted somewhere aside from Github for full benefit.

I'm happy to help in whatever manner I can.