Hash mismatches from Github releases are a rare but recurrent problem. The issue is that developers sometimes re-publish releases under the exact same version. Since we index based on version, in those cases we keep a stale sha256 hash in our self-signed events. Github does not expose hashes anywhere in their releases API. I'll see if I can mitigate this with a timestamp check.

Still (version 1.5.3)