Verifying SHA256SUMS without verifying gpg signatures is only useful for detecting corruption, not a malicious attack, with or without https.
Verifying SHA256SUMS without verifying gpg signatures is only useful for detecting corruption, not a malicious attack, with or without https.