This script uses SHA-1 to verify checksums. SHA-1 isn't considered tamper-proof any more, see: https://shattered.io/. We should switch to use a safer hash algorithm, at least SHA-256 (SHA-2).

I'd make a PR if you're interested.