Stub downloader. Similar to the one that Mozilla is providing for Firefox downloads. A small tool that is used to download and install the real tool.
Securing downloads may be better when written as a general purpose tool (not specific to Whonix).
No other projects such as Firefox or Debian support this use case.
Learning C++ and adding Metalink (including OpenPGP support) into Firefox (see Metalink, see https://bugzilla.mozilla.org/show_bug.cgi?id=331979) might be one of the simpler, yet very difficult approaches. For Firefox, gsoc may be way to get this feature in, which means that some uber geek spends 4 months full time on developing this. (While still not addressing the TUF threat model.)
- How to download and verify the host program in the first place?
- How to download the secure downloader itself in censored countries?
- How to download files in censored countries?
- Torify downloads?
Such a host program is host operating system specific, well you can write it in a cross platform language but still have to struggle with platform specific quirks.
The Tor Project never managed to get such a downloader up and running, see.
- liberationtech: secure download tool - doesn't exist?!?
- proposal to defend a permanent takedown threat
TUF (The Update Framework) 
- TUF Threat Model,
TUF: Attacks and Weaknesses
- GPG signatures do not authenticate filenames
- en.bitcoin.it/wiki/User:Gmaxwell/update_checking_requirements 
- https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md http://www.webcitation.org/6PRDsuYHq http://www.webcitation.org/6F7Io2ncN
Impressum | Datenschutz | Haftungsausschluss
Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.