If you don't have any way to trust the signing key "out-of-band", then you shouldn't trust the binaries. I don't really see why they supply separate sha1sums in addition to the pgp signatures.
Now, the fact that people are more inclined to trust the bundled ca keys, rather than a web-of-trust backed pgp key is generally just because people don't understand trust.
Say, if you're in Thailand[1] and require a secure way to communicate, where do you get your os/browser-bundled ca keys? Do you trust a CA that is under influence of the Thai government? Under influence of a sympathetic government?
Do you really trust all the CA keys bundled with your os/browser/phone? Do you know which they are? If not, please don't spread FUD wrt web-of-trust based trust models.
To be clear, both have a bootstrap problem -- but only web-of-trust offers a reasonable way for the individual to ensure proper trust chains. No trust chain is (by definition) without trust, so no model (ca or wot) is immune to being betrayed. But at least wot is designed for the user to be able to influence (and be aware of) trust -- and for easy auditing (most keys are personal, or anchored to personal ids, while it can often be hard to tell who are able to access ca keys and sign possibly rogue certs).
Now, the fact that people are more inclined to trust the bundled ca keys, rather than a web-of-trust backed pgp key is generally just because people don't understand trust.
Say, if you're in Thailand[1] and require a secure way to communicate, where do you get your os/browser-bundled ca keys? Do you trust a CA that is under influence of the Thai government? Under influence of a sympathetic government?
Do you really trust all the CA keys bundled with your os/browser/phone? Do you know which they are? If not, please don't spread FUD wrt web-of-trust based trust models.
To be clear, both have a bootstrap problem -- but only web-of-trust offers a reasonable way for the individual to ensure proper trust chains. No trust chain is (by definition) without trust, so no model (ca or wot) is immune to being betrayed. But at least wot is designed for the user to be able to influence (and be aware of) trust -- and for easy auditing (most keys are personal, or anchored to personal ids, while it can often be hard to tell who are able to access ca keys and sign possibly rogue certs).
[1] http://www.cbc.ca/news/world/thai-police-we-ll-get-you-for-j...