Stub downloader. Similar to the one that Mozilla is providing for Firefox downloads. A small tool that is used to download and install the real tool.
Securing downloads may be better when written as a general purpose tool (not specific to Whonix ™).
No other projects such as Firefox or Debian support this use case.
Learning C++ and adding Metalink (including OpenPGP support) into Firefox (see Metalink, see https://bugzilla.mozilla.org/show_bug.cgi?id=331979) might be one of the simpler, yet very difficult approaches. For Firefox, gsoc may be way to get this feature in, which means that some uber geek spends 4 months full time on developing this. (While still not addressing the TUF threat model.)
- How to download and verify the host program in the first place?
- How to download the secure downloader itself in censored countries?
- How to download files in censored countries?
- Torify downloads?
Such a host program is host operating system specific, well you can write it in a cross platform language but still have to struggle with platform specific quirks.
The Tor Project never managed to get such a downloader up and running, see.
- liberationtech: secure download tool - doesn't exist?!?
- proposal to defend a permanent takedown threat
TUF (The Update Framework) 
- TUF Threat Model,
TUF: Attacks and Weaknesses
- GPG signatures do not authenticate filenames
- en.bitcoin.it/wiki/User:Gmaxwell/update_checking_requirements 
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)