An attacker with a Man-in-the-Middle position, able to intercept and silently modify the HTTPS traffic (which is impractical in practice), could indeed be used by a user a modified executable with a modified hash and a compromised GPG key.
But if we were to be really paranoid, they would not download the GPG key that created the signature via the same login that they used to download the executable. Instead, you need to download the executable, for example, at home, and then download the GPG key in an Internet cafe.
As you can see, this is not really done in practice and usually it is not necessary to do it. TLS, if it is configured correctly, is considered secure in practice according to the standards of today.
So what to do in practice?
In practice, you have several options:
- Option 1: Ignore the hashes and GPG signatures and make sure that the download will be successful.
- Option 2: Check the attached checksum to make sure the download contains no errors. That's what I do personally with operating system downloads and the like.
- Option 3: Download the GPG key, make
gpg --verify and see if everything is fine.
- Option 4: Download the executable on one machine, and then move to another location to download the GPG key. Then physically meet the manager to check the fingerprint of the key. Then check the download.
As you can see, the examples become more and more complex, in order to mitigate even more ridiculous risks. In the end, you must choose your own level of paranoia.