Oh, sure. But as the installer is signed, instead of checking against a changing checksum, you can just verify the signature certificate, which is much simpler.

The trust path should be: "DigiCert" (the root CA) -> "DigiCert Trusted Root G4" -> "Verokey Secure Code" -> "Pierre Marie Baty"