To answer the question:

You change the SHA1 hash of the voting data in both the PDF and the XML filename. As long as the user is not verifying against a paper printout this attack will work.

Everything else in this article is secondary.

Well, that's funny: Firefox tells me that "Your connection is not secure. The website tried to negotiate an inadequate level of security."