Which might be OK for making sure the download isn't corrupted, but are useless for defending against an attacker, since the checksums themselves are hosted on a non-HTTPS site.
You're supposed to check the signature with the key you got "out of band". That means good security practice. Even if you get the key from a SSL/TLS enabled site, you can't guarantee it's the right one, CAs can be compromised. The checksum is to let you check if the download is corrupted and the signature is to check against the key you already have. Other forms of checking are just false sense of security.
An attacker wouldn't MITM your download, they would take control over your mirror and serve bad copies. Hence the signatures.
SSL secured downloads would be pretty much snake oil for ensuring file integrity end-to-end. You will find the same practice pretty much everywhere among the larger projects.
Which might be OK for making sure the download isn't corrupted, but are useless for defending against an attacker, since the checksums themselves are hosted on a non-HTTPS site.