That problem can be solved by retrieving the key out of band. If you're that worried about it, use a VPN to verify that the key you're seeing is the right key. That will vastly increase the difficulty of pulling off a successful attack. They'd have to MitM both connections, as well as the connection you're using to download the software, in order to compromise it.