<p>For signing the data files, I'm fond of pgp, with gpg being the implementation I trust best.</p>
<p>Sadly, standardization efforts seem to end up being used to add sponsorship for certificate signing authorities, we all have seen how well that has worked for SSL. Hope you can go with pgp; the current Certificate Authority fiasco follows as expected from the observation that trust doesn't scale.</p>
<p>As for details, I don't know anything wrong with the default algorithms that gpg uses. But ideally you shouldn't be using your own key directly, but rather a new, project-specific key for the project's official contact email address. You can start it off by signing it with your key, and other folks can add signatures after verifying the fingerprint with you offline.</p>