Re: I dunno if this would work...
> But might it be a good idea to have a "known good" or "gold" copy of the download held in a secure non-web-facing store
Except if your site got pwned then they would just return true inside the isequal method it uses compromising the entire model.
You don't really need the whole file btw. You just need to store its hash and compare that. Where your idea does have merit would be to deploy to a web job to aws/azure that downloads the files and does the comparison once an hour, broadcasting to predetermined mailboxes when there is a mismatch. Just don't use the same credentials or server for that web job and remember to update your build system to push the new hash to the guardian web job.
Next, figure out some way to protect your build server/repository/compiler/meatbags involved in pushing out a release.