It should be possible, when providing the URL, to fill out the expected checksum (SHA1, SHA256, whatever). As it downloads, the plugin will calculate the digest using the specified algorithm, and fail, if the downloaded file does not match the expectation.

This is an important security-related feature – to guard against someone substituting the downloaded sources with their own version (either in transit or after hacking the file-repository).