You are already getting that for Linux bundles by default. Even for Windows you don't need GPG if you just want to check the provided SHA-256 sums (you need to strip the authenticode signature first but we have a guide for that on our signature verification page). So, OS X users are remaining then. But it seems to me that does not account for the gap between downloads/sig downloads. Moreover, we are working on that trying to provide tools to strip the signature and getting the same SHA-256 sum as the unsigned .dmg file.
Still being able to check the SHA-256 hash alone is not really more secure than just downloading the bundle and running it.
More information about formatting options
Drupal Design and Maintenance by New Eon Media
Drupal Development by Chapter Three