It possible, it would be nice to PGP-sign ITS Tool releases, in addition or in place of the existing SHA-256 checksums. That would allow users to check they are not downloading a rogue version created to create a security breach in their systems.
Notably, the Debian operating system can automatically check upstream releases, which allows to build a full security chain since the packages derived from them are also signed!
If you have a working installation of GnuPG, that can be done with the following command:
$ gpg --detach-sign itstool-2.0.2.tar.bz2