While the points you raise are valid, this isn't really a place to discuss these type of issues. Igor doesn't monitor the wiki (it's run by volunteers).
The download pages are not publicly editable, but of course, as you mention, the server could be hacked. PGP will not help in this case as the malicious user could change the links to the PGP key to his or her own. In fact, they could sign the altered archives themselves with their own key, lending an air of legitimacy.
Trusted 3rd party signatures would help (although still not completely obviate) this potential risk. But again, Igor will likely never see your suggestion. You should take it to the mailing list.