This service runs as a Pipservice and verifies download artifacts using their accompanying checksums and detached signatures, as per our release distribution policies ( outlined at https://infra.apache.org/release-distribution.html ).
When a mismatch is detected, projects (and infra) are notified of this via email.