You can verify the signature. The Tor packages are signed by a Tor developer named Erinn Clark. Of course, it's possible that somebody put a gun to her head and forced her to sign compromised packages. In that case, download the source from the Tor Project's Git repository, audit it to make sure it is secure, and compile it yourself. That's paranoia level 9000, but I'm sure there are people who do that.