Is it possible to check the integrity of the GnuPG files inside of the downloaded installation package of GPGTools?
I know how to check the integrity of the .dmg file (compare the SHA1 hash), but I don't know how to check especially that the GnuPG binaries inside of the installation package is safe?
Of course I know I can reach the files inside of the package, but how to verify the binary files?
The content provider (GPGTools) provide no means to check the integrity of the files inside the package; they provide no hashes/sigs, so you have nothing to compare to. They appear to compile their versions/ports of other open source projects, so even if you try to compare the check the binaries against their counterparts from another content provider, the check will most likely fail.
Since they provide the package and page showing the sig over HTTPS, you can trust that they both come from GPGTools website and you can trust that you're being handed the authentic package.
Now if you don't trust the source of the package (GPGTools), you probably shouldn't be using their ports/packages in the first place.
Checking the file integrity with SHA-1 or any other tool will not tell you that the file is safe; it may tell you that the file is exactly the same as it was on the other side. It really depends on whether you trust the people who built the GPGTools package. As @Adnan points out, if you download the package through HTTPS, then you benefit from the protection of SSL as far as the transit is concerned, so you don't have to compute extra hashes (which would give you nothing more), but that does not solve this trust issue.
If you are worried about the GPGTools people, then you have the option of downloading the source code, analyzing it, and then compiling it yourself. This is hard work.
