See if the developers publish hashes of their executables (something like sha1/256, md5…). Then you can take the hash of your executable, and if they are the same, you should have gotten the exact same file. This does of course not help if the place you get the hashes from is also compromised.