A quick way I verify the validity of a download where the vendor posts the MD5 Checksum, such as JAMF Assets, is to use the Terminal.
At the prompt, type "md5" + drag the .dmg from the Downloads folder + " | grep " + copy and paste the entire MD5 Checksum value from the web page + enter
If it returns a line beginning with "MD5 (" + path to image = checksum, then it checks out. If it just gives the prompt, it has been modified and you should be wary.