Why not just sign the file with GPG or openssl or something?
If you need to deal with clients that aren't aware of the mechanism, you could just put the GPG signature in a custom HTTP header.
If you need to use cloud hosting or the like, and you can't return custom headers, just put the signature in a file with the same name with .sig attached. In fact, I just downloaded a kernel tarball the other day, and kernel.org does exactly this [1].
I also found a few related articles and RFC's [2] [3] [4].
Because the browser should have no way of verifying that the file was really constant, and to do that it would need to ask other authorities who have downloaded the file in the past.
GPG only allows you to sign something, not guarantee it was always constant.
If you need to deal with clients that aren't aware of the mechanism, you could just put the GPG signature in a custom HTTP header.
If you need to use cloud hosting or the like, and you can't return custom headers, just put the signature in a file with the same name with .sig attached. In fact, I just downloaded a kernel tarball the other day, and kernel.org does exactly this [1].
I also found a few related articles and RFC's [2] [3] [4].
[1] https://www.kernel.org/pub/linux/kernel/v3.x/
[2] http://en.wikipedia.org/wiki/Magnet_link
[3] http://www.ietf.org/rfc/rfc3230.txt
[4] http://www.ietf.org/rfc/rfc6249.txt