[_mpu]

In your case, PGP would be the best and not so hard to implement.

If you don't want/know how to use PGP you can also publish the SHA1 sums of the files available on your download page. It's better than nothing.

The second alternative is weaker because an attacker would simply need to change the binary and the sum on the website. In the PGP case, the attacker must get access to your PGP private key, and provided that you use PGP reasonably (no private key on your web server), this is harder.