As the author of an open source ACME client myself, I don't see anything stopping us from creating a hash of each version of our released code signed with a private key for which we provide the public key on our websites. Then again, if users are downloading the code directly from the website alongside the public key, this seems a bit like overkill since the only reasonable way I can see that an attacker could tamper with the code would be to act as a MITM for both elements.
This concept seems to harken back to the days of shareware distribution in the 90's...