Is there some good reason for all those steps to actually get the file after downloading? I don't see the point of encrypting it, or of having a tarball with just one file. They also suggest checking the file integrity of the download, and then also checking the integrity of the final extracted file--this seems completely pointless as the final extracted file is derived deterministically from the download so you've already checked it when you checked the download checksum.
Encrypting it, at least, makes sense: They can take their time distributing the file without anyone peeking at it before they're suppose to. Then, when they release the decryption key, the file is already copied all over the place and really hard to shut down.
Guess all the verifying means they are afraid someone will distribute "altered" versions. Checking it twice is maybe a little drastic? Don't know how hard it is to generate a file that compresses to the same as their file (collision). But it's at least theoretically possible.
MD5 is not the best cryptographic hash... it's weird that they would be so paranoid as to include two hashes but not use something harder to collide with.
While I agree there's better options, MD5 has no known preimage attacks. So it's stretching it a bit to imply that someone could easily cause a collision on an existing archive.
Theoretically, it is possible to create another file, which after encryption will give you the same checksum. I doubt that someone will be able to do it in a reasonable amount of time though.
Am I missing something?