I've just started looking at OMV and this was also my first question. I was looking for a simple sha256 that I could get from the download page, and then check that against the actual ISO image I download. Sha2-256 is available on practically every machine I use, it's simple it would give enough reassurance and many distros do this:
Ubuntu:
https://ubuntu.com/download/de…0.04.3&architecture=amd64
AntiX:
https://antixlinux.com/download/
OpenSuSE:
https://get.opensuse.org/tumbleweed/?type=desktop#download
Mint:
https://linuxmint.com/edition.php?id=292
They all have the ISO on random mirror, but the checksums are all in a specific place (the source of the mirrors one would assume). I think the key thing here, is that if someone changes the checksums someone will probably notice. Because many people would be viewing them and testing them. Whereas it may be easier to change an ISO on one random mirror (updating accompanying checksum) out of a few dozen possibles and it wouldn't be spotted so easily. No point in storing the checksums on any mirrors if you do this, you actually want people to be constantly checking the *original* checksums against the ISOs they download wherever from.
I hope that the developers will consider providing this in the future, if for no other reason than to avoid questions like this :).
Thanks!