You can use this site

https://distro.ibiblio.org/tinycorelinux/downloads.html

And all the files are here

https://distro.ibiblio.org/tinycorelinux/16.x/x86/release/

Under a HTTPS connection. I am not at a terminal to check the cert with OpenSSL.

I don’t see any way to check the hash OOB

Also this same thing came up a few years ago

https://www.linuxquestions.org/questions/linux-newbie-8/reli...

An integrity check where both what you're checking and the hash you're checking against is literally not better than nothing if you're trying to prevent downloading compromised software. It'd flag corrupted downloads at least, so that's cool, but for security purposes the hash for a artifact has to be served OOB.

It’s not better than nothing - it’s arguably worse.