I'm not aware of any problems with FreeBSD FTP mirrors being compromised recently. I wanted an example of data-adjacent-to-hash and most of the audience was FreeBSD people, so I figured that I'd go with an example close to home.
Wouldn't signing the checksum file solve the problem?
Yes. Or just relying on the FreeBSD release announcements, which contain SHA256 hashes and are signed.