Welcome to the site, leftdisconnected
Your suggestions and reasoning are very reasonable.
For installers, I highly encourage signing with a digital certificate; and with executables it makes a difference in how Windows displays them, and can definitely make people feel safer using them.
Your point about "It might be useful to list this hash in the download area on your official website, but this can convey false verification if a website is hacked (hackers may change the displayed hash to match their infected package)." is valid; for small scale websites that's pretty darn unlikely though. And one good alternative solution would be to post a hash value on a different server (like this forum), from the one hosting the file. Whether it's worth the hassle is another matter.. It does at least increase the likelyhood that someone would discover a tampered file sooner rather than later, which is always good.