Since direct SSL certificate pinning for check.torproject.org and torproject.org (curl method) (T80) would have to wait a long time, until Debian stretch, this ticket is for an alternative approach.
Please make sure you've read T80 first.
wget has no feature for direct certificate pinning (feature request).
Eventual Workaround... Creating a own local certificate authority, add only the one certificate we want to use. Approach:
wget --ca-certificate <file> openssl s_client -showcerts -connect www.torproject.org:443 >/tmp/x.cert </dev/null openssl x509 -in cert.pem -noout -text -pubkey
Open question: How to sign a certificate if you have no access to the private key and CSR (certificate signing request)?
OpenSSL users mailing list: Sign public key without having CSR or private key?; might work - didn't test, not sure if it could work.