I think you should read what GP said again. To repeat: there's no point in downloading a PGP signature over SSL -- if you have the signing key locally (which you can get over HTTPS). Because you use crypto to verify the signature and if someone MITMs you then the keys won't match. The reason why most people use HTTP for distribution (including many GNU/Linux distributions) is because mirror sites generally don't have HTTPS, and so you would have to require everyone to connect to your main server (which increases bandwidth and latency costs).