We have the same issues with all the crypto coins. Take BTC as an example. Folks are using software to store coins that are valued at ~ 10K. Some people have multiple coins with great value overall. Yet, they don't take the time to verify a simple sha256? If available its much better to use a GPG verify process because it prevents a fake website from hosting not only the bad files, but also a FAKE sha256 sum. Think about it. If I host a fake site and give you a fake sha256 to my bogus file then surprise it confirms and you think you have the real deal. Not so though. However; with the GPG signed file ONLY the private key for the signing set can make the signature test true. MUCH better authentication.