Provide hashes for downloads

[bottle2]

Hey,

I went to: https://haxe.org/
then I clicked "Download 4.3.7" and it took me to https://haxe.org/download/
which is identical to https://haxe.org/download/version/4.3.7/

I clicked the link "Windows 64-bit Installer" which is https://haxe.org/download/file/4.3.7/haxe-4.3.7-win64.exe/
then it downloaded haxe-4.3.7-win64.exe

after trying to run, Windows showed the following popup:

O Windows protegeu o computador

O Microsoft defender SmartScreen impediu que um aplicativo não reconhecido fosse iniciado. A execução deste aplicativo pode colocar o computador em risco.

this is portuguese. it roughly translates to:

Windows has protected the computer

Microsoft defender SmartScreen stopped initialization of an unrecognized application. This application's execution could put the computer in danger.

it provides an option "Executar assim mesmo", translated to "Execute anyway"

my knee-jerk reaction is to look for hashes to verify that the executable is somehow trusted.

scanning the Haxe website, none seem to found. I also tried to look on GitHub Releases at https://github.com/HaxeFoundation/haxe/releases/tag/4.3.7 with no luck

please provide some hashes to verify the downloads. notice that some hashes such as SHA-1 have been compromised. I think MD-5 is not reliable as well? I guess SHA-256 and SHA-512 is reasonable.

it would be even better to provide the hashes through GitHub. even though the download is done through HTTPS, it is weird to trust the haxe.org domain. the website is indeed referenced from GitHub, and its DNS information states to belong to "Haxe Foundation" and to have originated in 2005, but that's it. so to find the hashes in many independent-ish "places" would be sweet.