Seriously, if you're downloading from a third-party mirror, why would you not check the hash of the binary compared to the original? I mean, why would anyone even use Sourceforge for this in the first place? The official website has the official versions, and whatever distro you're using has screened versions in their repos.
Where is the official website? The GIMP is easy; Google knows that it originated at gimp.org. But a search also brings up GIMP at 'softtonic', 'gimpshop', CNet, and TechRadar -- all of which probably have added malware. If the program were more obscure, finding the correct link would be more difficult.
It would be nice to have one site that served trustable downloads for shareware and open-source code. Sourceforge used to be that site.