To comply with U.S. critical infrastructure regulations we're required to verify the integrity of all software via file hashes. In the past we've always compared the hash of the installer file to the hash provided on the company/organization's website.
From what I can tell there aren't any hashes for the software provided on the OPC Foundation's website, but I noticed in the release notes that "all binaries are signed with SHA256." I'm not sure how that applies to our verification process, however.
Any suggestions would be greatly appreciated.