The current MD5 file signatures allows end users to check whether the file is still in tact. However it doesn't garanty the file (and MD5) haven'/files/ field and API should support PGP signatures.
The file (and image) field should get an additional field for the MD5 hash. The /files/ would then need a "MD5" variable that would download a "text/plain" file with the hash as content. The filename can be generated based on the original filename and a .md5 suffix (filename.ext.md5).
Note that it's probably wise to add a MD5 property to the file/image fields to allow it to be enabled/disabled.