A published hash sum on its own only protects against non-malicious errors in the download. This is of limited use, since even regular HTTP is verified with a 16 bit CRC checksum.
Distributing a hash check over HTTPS would offer some protection against man in the middle style attacks, to the extent that TLS protects against man in the middle attacks, but accomplishes nothing if the server has been compromised.
Distributing a signature of the download gives stronger protection, because the private key can be kept offline and encrypted except when in use. Breaking into a server and overwriting a few files is easier than breaking into someone's laptop in the brief moment where they unlock their keypair to sign a release.
Distributing a hash check over HTTPS would offer some protection against man in the middle style attacks, to the extent that TLS protects against man in the middle attacks, but accomplishes nothing if the server has been compromised.
Distributing a signature of the download gives stronger protection, because the private key can be kept offline and encrypted except when in use. Breaking into a server and overwriting a few files is easier than breaking into someone's laptop in the brief moment where they unlock their keypair to sign a release.