diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f557786..6af7c2a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -90,10 +90,17 @@ jobs:
       - name: Install changie
         env:
           CHANGIE_VERSION: 1.24.2
+          # SHA256 of changie_${CHANGIE_VERSION}_linux_amd64.tar.gz from the
+          # upstream release's checksums.txt. Bump together with the version.
+          CHANGIE_SHA256: 31535a9d8dc548d6d8f315762bfd5b1fba34e707b7600748c8bb8a609649007d
         run: |
-          curl -fsSL "https://github.com/miniscruff/changie/releases/download/v${CHANGIE_VERSION}/changie_${CHANGIE_VERSION}_linux_amd64.tar.gz" \
-            | sudo tar -xz -C /usr/local/bin changie
-          changie --version
+          curl -fsSL -o /tmp/changie.tar.gz \
+            "https://github.com/miniscruff/changie/releases/download/v${CHANGIE_VERSION}/changie_${CHANGIE_VERSION}_linux_amd64.tar.gz"
+          echo "${CHANGIE_SHA256}  /tmp/changie.tar.gz" | sha256sum -c -
+          mkdir -p "${RUNNER_TEMP}/bin"
+          tar -xzf /tmp/changie.tar.gz -C "${RUNNER_TEMP}/bin" changie
+          echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
+          "${RUNNER_TEMP}/bin/changie" --version
       - name: Verify CHANGELOG.md is in sync
         run: |
           changie merge
diff --git a/Taskfile.yml b/Taskfile.yml
index 0c4528e..85564a7 100644
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -146,14 +146,20 @@ tasks:
   install-changie:
     desc: >-
       Download changie (changelog fragment manager) into .local/bin/ via
-      gh release download. The changelog-* tasks depend on this, so a direct
-      install is rarely needed.
+      gh release download, with checksum verification. The changelog-* tasks
+      depend on this, so a direct install is rarely needed.
     vars:
       CHANGIE_VERSION: 1.24.2
+      # SHA256 of the upstream release's checksums.txt — pinned in-repo so a
+      # replaced or tampered release asset is detected before execution. Bump
+      # together with CHANGIE_VERSION (and the matching pin in
+      # .github/workflows/ci.yml).
+      CHANGIE_CHECKSUMS_SHA256: 79c8ddf317bb0a5443e00ab75fe70f7790849e91846cae68b34e503f78aaecf1
       CHANGIE_OS:
         sh: uname -s | sed 's/Linux/linux/;s/Darwin/darwin/'
       CHANGIE_ARCH:
         sh: uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/'
+      CHANGIE_TARBALL: changie_{{.CHANGIE_VERSION}}_{{.CHANGIE_OS}}_{{.CHANGIE_ARCH}}.tar.gz
     status:
       - .local/bin/changie --version 2>/dev/null | grep -qF "v{{.CHANGIE_VERSION}}"
     preconditions:
@@ -161,11 +167,16 @@ tasks:
         msg: >-
           gh CLI must be authenticated. Run: gh auth login
     cmds:
-      - mkdir -p .local/bin
+      - mkdir -p .local/bin .local/dl
       - gh release download 'v{{.CHANGIE_VERSION}}'
           --repo miniscruff/changie
-          --pattern 'changie_*_{{.CHANGIE_OS}}_{{.CHANGIE_ARCH}}.tar.gz'
-          --output - | tar -xz -C .local/bin changie
+          --pattern '{{.CHANGIE_TARBALL}}'
+          --pattern checksums.txt
+          --dir .local/dl --clobber
+      - echo '{{.CHANGIE_CHECKSUMS_SHA256}}  checksums.txt' | (cd .local/dl && shasum -a 256 -c -)
+      - (cd .local/dl && grep -F '{{.CHANGIE_TARBALL}}' checksums.txt | shasum -a 256 -c -)
+      - tar -xzf .local/dl/{{.CHANGIE_TARBALL}} -C .local/bin changie
+      - rm -rf .local/dl
       - .local/bin/changie --version
 
   changelog-new: