Oh, okay, so maybe I misread the sentence. I thought the implication was they used crc32 as opposed to HTTPS. Not sure why you need an additional layer in addition to https- as long as the certificate chain is setup properly. And again, you’re not gaining additional security if you submit the hash (or a gpg key) through the same channel. So if they already use https and just want to check for broken downloads, crc32 is perfectly fine. It’s just security theater at that point.

What does it matter if it’s CRC or sha512 if they are using an unsecured connection to transmit them? A stranger who has already acquired capability to modify the payload in transit can also modify the checksum. A better hash will not solve this problem.