But if the file and site are both accessed over HTTP, it's possible for a bad actor to alter the file and then change the signatures+checksums listed on the page to reflect it.
That can happen regardless of HTTP/HTTPS, say if the site was hacked they could be serving a bad key/signature, which is why you should always obtain the public GPG key (in any scenario, really) via a trusted channel, or multiple ones.
So for instance in this case you could grab the gpg key, go into their IRC channel and ask for it again, etc.
I do agree HTTP makes it easier to MITM, but in theory if you are serious about security you should not be relying on HTTPS alone.
The fact is however, HTTPS offers massive improvements for security for the majority of users, especially those using public or shared Wi-Fi (i.e. Work or School), assuming they're using their own device. Assuming HSTS was set up, it would be impossible to strip SSL without causing most browsers to panic and refuse you access to the website.
On those types of networks, MITM attacks are extremely easy, and there are tools to do it in seconds. It may be more likely for you to get MITM'd and have them modify the signature, than for the actual website to get hacked. Combined with the fact that some people would try to download Tails across these types of network for the added anonymity.
So for instance in this case you could grab the gpg key, go into their IRC channel and ask for it again, etc.
I do agree HTTP makes it easier to MITM, but in theory if you are serious about security you should not be relying on HTTPS alone.