If the attacker already controls the download link and has a valid https certificate, can't they just modify the published hash as well?