If the paranoia runs that deep, and there's enough anxiety built into the scenario, then a substantial amount of responsibility must be adopted before embarking upon your journey.
This means your options are limited, but if you believe you have a real adversary, then your adversary defines the scenario.
Option 1: Obtain source code, and secure a build environment. Review the source code. Build from source, and test the behavior of the built product. This approach incorporates some cognitive disonnance, particularly when building crypto software from source. The axiom "never roll your own crypto" brushes closely against building a tool like PuTTY from source. How do you know you did it right? Well... does anyone REALLY ever know?
Option 2: Pay through the nose, and carefully identify the entities you accept assistance from. Do your accomplices carry any conflicts of interest? This includes your ISP, and the open source project you've selected as the authors of your tools. Do you need to pay for professional class internet service, including pre-defined static TCP/IP routing across leased lines? Do you need to speak directly with the team that develops your software? Have you considered paying for a proprietary tool, with a service agreement? Is what your doing legal? Do you carry liability insurance, in case damages result from your actions? Do you own life insurance?
If you're confronting an opponent, is the scale of your opponent real, or imaginary? The manner in which you arm yourself for the confrontation will be priced accordingly.
...but the short answer is: obtaining hashes over SSL from a source with a certificate that can be validated by a "trust-worthy" certificate authority is "probably" okay for most ordinary people, who aren't confronting state-sponsored adversaries.
This means your options are limited, but if you believe you have a real adversary, then your adversary defines the scenario.
Option 1: Obtain source code, and secure a build environment. Review the source code. Build from source, and test the behavior of the built product. This approach incorporates some cognitive disonnance, particularly when building crypto software from source. The axiom "never roll your own crypto" brushes closely against building a tool like PuTTY from source. How do you know you did it right? Well... does anyone REALLY ever know?
Option 2: Pay through the nose, and carefully identify the entities you accept assistance from. Do your accomplices carry any conflicts of interest? This includes your ISP, and the open source project you've selected as the authors of your tools. Do you need to pay for professional class internet service, including pre-defined static TCP/IP routing across leased lines? Do you need to speak directly with the team that develops your software? Have you considered paying for a proprietary tool, with a service agreement? Is what your doing legal? Do you carry liability insurance, in case damages result from your actions? Do you own life insurance?
If you're confronting an opponent, is the scale of your opponent real, or imaginary? The manner in which you arm yourself for the confrontation will be priced accordingly.
...but the short answer is: obtaining hashes over SSL from a source with a certificate that can be validated by a "trust-worthy" certificate authority is "probably" okay for most ordinary people, who aren't confronting state-sponsored adversaries.