Apache Livy is released as a source artifact, and also through Maven.
There is no official release of Apache Livy yet, try checking out the GitHub repo and building the source code.
Instructions for checking hashes and signatures is indicated on the Verifying Apache Software Foundation Releases page.
Choose a source distribution in either tar or zip format, and verify using the corresponding pgp signature (using the committer file in KEYS). If you cannot do that, the md5 hash file may be used to check that the download has completed OK.
For fast downloads, current source distributions are hosted on mirror servers; older source distributions are in the archive. If a download from a mirror fails, retry, and the second download will likely succeed.
For security, hash and signature files are always hosted at Apache.