All videolan files are GPG-signed and have several hashes (md5+sha1+sha256)

Ah, maybe I missed the link on the DL page.

All I see on the DL page are links to the source, nothing on GPG nor hashes

https://www.videolan.org/vlc/#download

When I clicked to DL my version, all I saw was a "click here to see hash" that needed me to enable JS. Just sha256, which is good btw, more is not better when it comes to hashes - sha256 is sufficient.

Many open source projects provide all these on 1 page, rather than rely on complex code to deliver the info or display it on the DL page.

Ex: https://www.torproject.org/download/ lists sigs under each OS option.

Well tor project and VLC have a very different audience, but I'll see what I can do.

I totally understand. Back in grad shool I focused on usable security, and usually less clicks to get to something means more likely people will use the info.

Thanks for your help.

I always wondered what purpose these hashes shown on dl pages serve. If someone can hack your website to change out the .exe or whatever, surely they could also just change the hash displayed?

The issue is more a rogue mirror, than the main website being hacked. But yes, this is very true.