How to make sure the # file you downloaded is the real deal:
1) Download the file and its ‘Open PGP’ signature: https://www.enigmail.net/download/index.php
2) Learn that you must download the key the packages have been signed with: https://www.enigmail.net/documentation/signature.php
3a) Download gpg-curl and configure gpg to download keys securely, as described in https://quitter.no/url/12964
3b) Verify the certificate used when connecting to the pool of secure key servers: https://sks-keyservers.net/verify_tls.php (I didn’t really understand how, so I skipped this step.)
4) Following the instructions (linked to) in 3a), download the key with the signature mentioned in the webpage of 2).
5) Following the instructions in 2), run ‘gpg --verify filename.xpi.asc’

If it says ‘good signature’, I guess you’re safe…. (!crypto !security)