added GPG-signed file hashes

downloads/hashes.txt

@@ -0,0 +1,25 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+This GPG-signed message exists to confirm the SHA sums on Monero binaries.
+
+Please verify the signature against the signature for fluffypony in the
+source code repository (/utils/gpg_keys).
+
+monero.freebsd.x64.v0-8-8-6.tar.bz: 9fd0005b697e146a26a0bf9e3cd0c89b978f7fbd
+monero.linux.x64.v0-8-8-6b.tar.bz2: 16f3f55bcfbfae6135cbeda6574f651890a8be64
+monero.mac.x64.v0-8-8-6.tar.bz2: 7069de92083fb7831b063cc152e8f35508ff61bf
+monero.win.x64.v0-8-8-6.zip: facbeb2e408cf8b9a46534363eba161dbb047654
+
+Riccardo "fluffypony" Spagni
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQEcBAEBAgAGBQJU63MyAAoJEFVDLfMczU/N6ksIAIuJkAfnl+xP+1AMvAqQR2jq
+xIBbQ5ZPnH3PvQevKNqJkRE+To3Qbf6xYv8iPZFBKz68Fc06+lOXXSMQnqA4mDTj
+Lh2M4YJJnOxkjf8gnWEW1jI666Y+oiA97luYT04ytNIXCoUGZFQmP+MGAo6Q/s3K
+JsT6d/u/LxavWaGReG61EvLx+ey8WcInIabGMcZsnTZn2GBQFfXiz6MKfcnhM7nY
+xk+oe+oqL2Tohpi7/zRkFfy6nKk6wcv98sfoAen0c+VprBZwotypvccL6kTjF57F
+51bXAK1RnbzencfFpaGBhShyVnzPXWgZro+nLEWMemhlua4xNg9fjYddDzqp7Cc=
+=VF+L
+-----END PGP SIGNATURE-----

downloads/index.md

@@ -15,6 +15,8 @@ Monero Core consists of several applications, including bitmonerod (the daemon u
 
 If you are using Monero Core for the first time you may want to download a @blockchain bootstrap to get you started. A link to download the @blockchain bootstrap is included in the listings below.
 
+Note: the SHA hashes are listed by the downloads for convenience, but a GPG-signed list of the hashes is at [getmonero.org/downloads/hashes](https://getmonero.org/downloads/hashes) and should be treated as canonical, with the signature checked against the appropriate GPG key in the source code (in /utils/gpg_keys).
+
 <div class="row">
 
 {% for data_downloads in site.data.downloads %}