MD5 checksum is great to verify an already compiled executable. Its not as great for verifying code that you compile yourself, since that will vary depending on the hardware and software used to compile. That has been a longstanding problem with Truecrypt until recently (source doesnt perfectly match pre-compiled executable).
Those who argue that people should simply audit the source themselves to verify authenticity are either ignorant or being obtuse. Auditing Cryptographic software (and its implementation) is just too complex for a single user.
An example of this is the
underhanded C contest whose point is to get malicous code past a rigorous inspection.