Can I trust the images and git?
On https://calyxos.org/get there is nothing signed, for example by GPG.
If there is a Man-in-the-Middle / hacker, who can manipulate the images, he can also manipulate the sha256 checksums.
Also some "Anonymous (not verified)" user edited the page. at Thu, 03/21/2019 - 00:02 .
You could, for example sign your Git tags / commits https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
And put the links to the images with the checksums into the signed git.
This is not paranoid: it happend to Linux Mint. Users who just installed the image and didnt checked the GPG signature of the sha256sums installed a manipulated OS. Hackers hacked the Linux Mint website and changed the images and sha256sums.