I'm trying to understand how it will be possible (I refuse to believe it isn't possible) to verify the integrity of a new unknown remote asset from a new unknown source, when you cannot say for certain if either the remote asset or the remote source has not been compromised.
Sure you can do this. It's called the Wayback Machine.
But all that will tell you is if the hash has ever been changed. There is no way to know if it was changed because the site hosting the hash got hacked to hide that the asset is compromised or if the legitimate asset author decided to sneak in a change without changing the version number.
And of course the Wayback Machine can get hacked as well.