It should be obvious but it seems that people need a reminder.
You should only ever download files from their original source!! If you don't how will you ever be certain that what you are downloading is the real deal and doesnt have some hidden backdoor.
Not long ago a new version of wordpress was released at www.wordpresz.org which wasn't actually the real deal.
Don't fall into the same trap!.
Luckily if for any reason you have downloaded Joomla from somewhere other that the official site you can do an MD5 check on the download and compare it with the master MD5 list at joomla.org
Phil Taylor today provides a helpful guide to checking the MD5 at his blog.
As Phil mentions many of us, including all my Debian friends, have long advocated the GPG signing of Joomla and it's extensions.
With GPG keysigning you can not only confirm that the file you are downloading is the "real deal" and has not been tampered with you can also create a circle of trust.
I should add that even if you are doownloading a file from a "trusted source" you should still check the MD5. I have seen a trusted source get hacked and it's master files modified without the site owners knowledge. Fortunately that site owner pubished the MD5 so it was quickly detected.