This is a broader question but here a concret example:
From https://www.apache.org/info/verification.html :
File hashes are used to check that a file has been downloaded correctly. They do not provide any guarantees as to the authenticity of the file.
I don’t understand this part:
They do not provide any guarantees as to the authenticity of the file.
The checksum used is from a trusted HTTPS source (Eg: https://downloads.apache.org/tomcat/tomcat-8/v8.5.56/bin/apache-tomcat-8.5.56.zip.sha512).
How a file can not be authentic if it match a checksum from a HTTPS trusted source?
Or do I miss something and I still need to validate with a GPG key?