I have seen some plugins where the source code (e.g. on GitHub) is different from the source code used to compile the jar. This will cause the hashes to be different and will cause the checking of the jar to fail.
I don’t say it is a bad method (I like the idea) but you can’t rely on this method, because;
- the developer might have changed a few things; after compiling (before uploading the source code) or before compiling (already uploaded the source code).
- the developer uploads his source code after the plugin is validated
- or some random other reason
Note that: these are just some examples, for most (open source) plugins the method would work.