If someone can change the download page, they can change the hash too. If you sign the code with a secret key, they have to steal your key too — and you should be keeping that off of your web server.
ISC Diary | PHP.net compromise aftermath: Why Code Signing Beats Hashes
PHP.net compromise aftermath: Why Code Signing Beats Hashes, Author: Johannes Ullrich