Just noticed I have checked the gz file hash while it was being downloaded (again) and checked the img file from a previous download.
I re-downloaded it using wget and got the right checksum. Thanks!
Which file, exactly ?
I downloaded the Pi2/3 from retropie.org.uk/download and the MD5 checksum of the .gz compressed image is identical to the one published on the page (eb62ee88bf890e6d9ac9164bcb3e4a23).
Just ran it with on the .gz file and it checked out. Sorry for the false alarm.