[SEMW]

Does it matter? If your connection gets MITM'd and someone changes the .sig files, they'll no longer validate against GNU's code-signing public key (which you may already have, or if not, the link to download it is https (https://ftp.gnu.org/gnu/gnu-keyring.gpg). (Unless of course that person has GNU's private key, but in that case you've lost before you started)

(Incidentally, if you just change the url from http to https (or use the EFF's https-everywhere addon) it works fine, the server does support it)

[fnj]

Yes, it matters. https is not perfect, but it is 99% less vulnerable than http.

[cyphar]

I think you should read what GP said again. To repeat: there's no point in downloading a PGP signature over SSL -- if you have the signing key locally (which you can get over HTTPS). Because you use crypto to verify the signature and if someone MITMs you then the keys won't match. The reason why most people use HTTP for distribution (including many GNU/Linux distributions) is because mirror sites generally don't have HTTPS, and so you would have to require everyone to connect to your main server (which increases bandwidth and latency costs).