How do you make sure that the checksum is indeed authentic and someone hasn’t tampered with the official site?
GPG ensures that whatever checksum/file is on the site, came from you and nobody else (there are ways for a certificate collision to occur, but I’m more likely to grow a third thumb :p).
I see, I just assumed the site is trusted. I think the signature check is indeed best left to the package manager once we create distribution-specific repositories.