Many projects do not digitally sign their releases. I have hashed the files below and provided the SHA256 checksum here so that others may attempt to verify authenticity based on the fact that at least 1 other person received the same file as they did. Hopefully others will also begin doing this so we can cross-verify the checksums and crowd-source a bit of security.
a5146a143c7bbd6a0b8384a1aa233243b72cca94cbec62aa3d70a82f5b262550 androidfiletransfer.dmg (v 1.0.50.2266)
68fffc5e94d65d0f5dc336ac2e603a13307aa77bb5ccc6b2968f7c117dd89395 ccid-installer.dmg v0.14
18317ba924475223ae6fc50787850e63ed078d4d4a2e8d534c5843a2df2a9bf2 electrum-2.7.18.dmg
6f2308b082e6b74ac43e31d59b3ea50555de02984fb6ba5a229bbeddb57e8025 GnuPG-2.1.9.dmg
a29edb4f44abfb1608a6a957aca21e6cc21d1b2c5f400ea5008f2ac18cb8cbc1 GPG_Suite-2017.1b3-v2.dmg (sig)
d8b618878b1949496197e31ee4b8d36b50ad6169cc5acef8c1cb1917e6b4200b hpprinterdriver3.1.dmg
a6ea47965542b5c06787f832f3ae5be65da6c6ed91664b0c0ed4994650d98244 javaforosx.dmg Java for OS X 2017-001
44271fef18fd07a29241e5324be407fa8edce77fb0b55c5646cd238092cdf823 KeePassX-2.0.3.dmg (sig)
59d7530625866c3d7d5cfa753e12dee0f052f79e1a7572f8e5633ad915369228 KeePassXC-2.3.4.dmg
0d6d03b6d5b13e0916f18d156dd83a5b46d9f6b25625af8723f211ad39d261cb Keybase.dmg [1]
5521bcf0dccc8394fbb95b1bd70c85abc2e704474b3d6da465b327a865c8002c macosupd10.12.1.dmg macOS Sierra
b46e5786343f236d203037a7ace8f1b28145a51a3f84fa527efcf62f47b5b8de meld-1.8.4.tar.xz
db3572c5c6905b09f4fc28415a7f6f223014391492dd2165ed1bc8512ac4e6fd meld-3.12.3.tar.xz
0f31b7d8f00779969e339bec89163b573c9c9e9ce10cdbbe0c4acfc11fcb527b Mumble-1.2.15.dmg
b35a56cafa4403fcb941422e4975c843018965282571d05a660485a21fde1bbe OpenSC-0.17.0.dmg
de45388f6aceb547f08112e24f2ed49a2160725ed4590adcc8488a5d5d3f0067 osxfuse-3.9.2.dmg
59a2549913f523dac5a51859de135d92e434c1801ca571eb2d74664d19d6b627 picasamac39.dmg [2]
e3d0d74242f25a7c8b097cedf7cb9ccb67b11db8764166748f3f793c41e6199d picasamac39.dmg [3]
dda519484075ce455f91962d04ca57535c50604b30e886e5025ab97a4e5be1df qbittorrent-3.3.11.dmg
952f81f79efb1a0a103fe87328af6a0dd8adf64e16636ecb221e79e453564b6c Sublime Text Build 3143.dmg
fe46c69d783f2aa290d18caec30b3f17481c47def9c271dc66db1b7bbd3074c5 sudo-1.8.19p2.pkg
04db58b737c05bb6b0b83f1cb37a29edec844b59ff223b9e213ee1f4e287f586 TrueCrypt 7.1a Mac OS X.dmg
d957b207b13b705f9ef5e4f54942af0b41fb335219ca0833c34627ce95e968f9 tuxerantfs_2016.1.dmg
8c5ba5e8a19de5a33461f3cd84617140736d7cb38e306d0ac4b1c058940227f3 VeraCrypt_1.23.dmg
51a6cc75841ed60e01ea62974907049fd3d39be7a916f30e77d842c1a8354655 VirtualBox-5.1.26-117224-OSX.dmg [4]
c9b3a373b7fd989331117acb9696fffd6b9ee1a08ba838b02ed751b184005211 XQuartz-2.7.7.dmg
d8f40bb712aff6aecf5b24bf08a100ce67c98ddcec9461af6b418190be0b39aa debian-live-9.5.0-amd64-xfce.iso
f3f31634c05243e33a82a96e82c3cd691958057489e47eebe8ac3b0c0e6dd3b4 sublime-text_build-3126_amd64.deb
676f1322166536dc1e27b8db22462ae73f0891888cfcb09033ebc38f586e834a tails-amd64-3.0.iso [5]
43f895cfcdbe230907c47b4cd465e5c967bbe741a9b68512c09f809d1a2da1e9 truecrypt-7.1a-linux-x64.tar.gz
62f95e8d8a7cee3dd1072f54942d39605e2a860031ce56ea0a6e6b832e4ad147 truecrypt-sha256-hashes.txt
[1] Keybase.dmg : (92012764 bytes) v1.0.22-20170515141716+b608f0e (Downloaded on 2017-05-20)
[2] picasamac39.dmg : v3.9.139 - 84,801,775 bytes
[3] picasamac39.dmg : v3.9.141.306 - 87,858,245 bytes
[4] VirtualBox-5.1.26-117224-OSX.dmg : v5.1.26 - 94,537,485 bytes (verified via SHA256SUMS)
[5] tails-amd64-3.0.iso : File signature and signing key 0x58ACD84F.
You can use the SHA-256 hashes above to check if a file you downloaded matches the one I (Jonathan Cross) downloaded. If you find a mismatch, please let me know immediately.
SHA-256 (Secure Hashing Algorithm, 256 bits in length) can create a unique string of number and letters for any piece of data -- a digital "fingerprint" or "checksum". This allows one to verify the integrity of the file downloaded, but not the authenticity. For authenticity, we need to identify the correct hash. This can be challenging in situations where the developer does not provide a definitive answer. This is one situation in which the list above might be most useful. Since I did not create the software, I can not be sure which hash is correct either, but I can at least share the results I observed and hope that others also see the same results.
All software should be digitally signed by the developer, unfortunately we are not there yet.
All changes (git commits) to this file are signed with my OpenPGP key: C0C076132FFA7695
Here in GitHub, each commit will have a green "Verified" badge for the OpenPGP subkey D8578DF8EA7CCF1B. You can also verify this independently via git show --show-signature HEAD if you don't trust GitHub (which you shouldn't).
One of these commands should work on all recent Mac OSX / Linux machines:
openssl dgst -sha256 [filename]
sha256sum [filename]
Solaris:
digest -a sha256 [filename]
Windows:
You'll have to install software that can calculate SHA-256 hashes. hashdeep (part of the md5deep-4.4.zip package) seems okay.
Digital signatures offer additional information which can be used to establish both integrity and authenticity of a file. They start with a hash of the file (integrity), then this hash is digitally "signed" with the developer's key. This information can be used to determine if the the program you are installing was created by the person writing the software (or at least someone with access to their private key). The most common program for doing this is Gnu Privacy Guard (aka gpg command) which was developed as a Free / Libre implementation of the OpenPGP specification. I have included digital signature info above when available.
You need to verify the public key (more accurately a "fingerprint" of the public key). Mine for example is: 9386 A2FB 2DA9 D0D3 1FAF 0818 C0C0 7613 2FFA 7695
If you know the developer or have a way to meet them, GREAT! -- You can verify their OpenPGP key directly. If (more likely) you do not know them, you can try to establish the authenticity of the key and real owner in many ways. This can be done by searching for commits on GitHub which are signed with that key, for websites, social media accounts, etc which prove ownership of that key (see Keybase.io, eg keybase.io/jcross) or through the OpenPGP Web Of Trust. You can even have a video call with them and ask them to show / read the key fingerprint aloud, etc.
However nothing is as secure as meeting in person to verify keys.