To add to what Abigail-II said, SIGNATURE files are not currently a good security system. As things stand now, it is unlikely that you have a sufficient web-of-trust to verify the author's key. It is thus very easy for man-in-the-middle attacks to work.

They're certainly not as good a mechanism as they could be with more support for them in the infrastructure - but I'd still argue they're an improvement over straight hashes.

Further, a lot of people don't check the signature until the automatic installation method has already done it for them (usually via a 001_signature.t test). This means the code has already started running by the time the signature is checked.

And that's foolish on their part. I don't do that.