Whonix ™ comes with many security features. Whonix ™ is Kicksecure ™ security hardened by default and also provides extensive Documentation including a System Hardening Checklist. The more you know, the safer you can be.
Whonix ™ can be downloaded over TLS (formerly SSL) and/or an onion service. Note that the TLS certificate authority (CA) system is seriously flawed and poses the risk of security breaches, therefore it should be avoided if possible.
As documented on the Verify Whonix ™ Images page, OpenPGP verification is far safer and strongly recommended as an alternative to plain TLS.
The most secure method of obtaining Whonix ™ is to build it from source code. In this way, it is unnecessary to trust that developers have actually created binaries which match the source code. For utmost security, the source code can be reviewed beforehand.
For further information, see: Anonymity Operating System Comparison: Download Security.