I suggest @info.nxtcrypto link @Luc's BTT post for each client update, so we can do a fast simple comparison with @Luc's post and confirm the sha256sum. If hacker replaced the download file and also replace sha256sum at info.nxtcrypto, it's not so easy to find it, but I think hack those 2 and Luc's account at the same time is more difficult.
See those *.asc files in the http://download.nxtcrypto.org/ directory? Those are GPG signatures of the corresponding zip files. If you download both nxt-client-0.5.3.zip and nxt-client-0.5.3.zip.asc in the same directory, you can run "gpg --verify nxt-client-0.5.3.zip.asc" to verify my signature of the zip package. This gives you one independent way of checking, and a hacker cannot provide a signature for a modified zip package without somehow stealing my private GPG key.The nxt-client-0.5.3.zip.sha256.txt.asc is again a GPG signed file containing the sha256 sum. You can run "gpg --verify nxt-client-0.5.3.zip.sha256.txt.asc" to verify its content, then run "sha256sum -c nxt-client-0.5.3.zip.sha256.txt.asc" which will say "nxt-client-0.5.3.zip: OK" if the sha256 sum matches (ignore the warning about the extra lines, those are the gpg signature).
Finally, the value of the NRSversion alias on the blockchian contains the sha256 sum of the last stable release.
That gives you quite a few independent ways of verifying the package.
Add to this getting your public key based on "GPG key fingerprint" and it will be nice guide.
And yes, we definitely need nxt-client-latest to automate all this steps
