You can verify downloaded file using PGP signature. Alternatively use SHA256 key verification. So how does it work? First of all you need to download two files the file.zip and file.zip.asc. Lets take a look on example when downloading phpMyAdmin package (see instruction here and file download here).
Navigate to download folder (in git.bash use)
cd /c/Users/SYMFONY/Downloads
Now proceed as instructed by phpMyAdmin instruction.
gpg --verify phpMyAdmin-YOUR_VERSION_HERE-all-languages.zip.asc
gpg --verify phpMyAdmin-5.1.1-all-languages.zip.asc
gpg --import phpmyadmin.keyring
or try to import key directly from cli like this:
gpg --keyserver hkp://pgp.mit.edu --recv-keys 3D06A59ECE730EB71B511C17CE752F178259BD92
Now you can verify the file using this key:
gpg --verify phpMyAdmin-5.1.1-all-languages.zip.asc
As you see we where able to verify downloaded file but we still have a warning shown which worn as about key is not certified with a trusted signature. According to https://docs.phpmyadmin.net:
“The problem here is that anybody could issue the key with this name. You need to ensure that the key is actually owned by the mentioned person. The GNU Privacy Handbook covers this topic in the chapter Validating other keys on your public keyring. The most reliable method is to meet the developer in person and exchange key fingerprints, however, you can also rely on the web of trust. This way you can trust the key transitively though signatures of others, who have met the developer in person.
Once the key is trusted, the warning will not occur.”
https://www.gnupg.org/gph/en/manual.html#INTRO
https://docs.phpmyadmin.net/en/latest/setup.html#verifying-phpmyadmin-releases
https://www.phpmyadmin.net/downloads/