One could argue that signed packages are still harder to check because publicly facing web servers are easier to hack, but you need to get the signature somewhere which is usually included in you distribution you downloaded through an insecure http or ftp connection.
That doesn't protect you from truncation attacks: almost no server out there sends a close_notify before closing the TLS connection, so few tools will throw an error when you receive an incomplete file.
It may be hard to exploit, but executing a script before you have completely downloaded it is simply a really bad idea.
One could argue that signed packages are still harder to check because publicly facing web servers are easier to hack, but you need to get the signature somewhere which is usually included in you distribution you downloaded through an insecure http or ftp connection.