A checksum is NOT a substitute for a digital signature.
In the case where the attacked has direct control over the website then you're right, it doesn't help at all.
I was pretty sure that's the threat model we were discussing: Software authenticity.
The only way to automatically know if a piece of software is legitimate is to have a trusted public key that can verify a signature.
Also, HTTPS is implied these days. If you're not using HTTPS, you are either malicious, negligent, incompetent, or working for someone who is some or all of the above.
Or poor. Hosting large amounts of binaries over https isn't cheap. I just priced Amazon S3 and cloudfront and for the amount of data that I serve it would cost $300 per month. That's a lot to commit for a GPL-ed binary that brings in practically zero revenue. Maybe there's a cut rate VPS out there that can handle 150GB of data and 3TB of bandwidth per month on the cheap, but I haven't found it yet.
Maybe like pointed out in another reply, not for checksums but for signatures. So you just copy/paste the signature after selecting a file, and then it can verify it's validity.
Is there no such extension yet? it seems like there should be one already.
You could pay for it with some sort of sponsorship from apps themselves, who have an interest in not getting compromised like this (it's terrible publicity).