An attacker can't change the content without breaking the signatures and keys. If you can verify the keys from independent sources you can feel safe (this is where I don't have practice). If an attacker somehow can steal the private keys it's bad, but compromising the web page doesn't mean that they have access to the private keys used for the signatures. I don't know about common security practices for managing https keys but I would think that a compromised https server would mean a compromised ssl private key too in most cases.

Also https only verifies that page you see is the one intended to be hosted by the URL's owner. Even if the website had a valid cert signed by a trustworthy CA it wouldn't mean more. From that URL I couldn't tell if it's still a trustworthy site from I can download PuTTY.

I don't know the state of PGP though. I'm looking at http://keyserver.ubuntu.com/ right now and all I see are plain signatures of keys without any comment on the "type of trust" between the two parties (I'm really new to this). But it seems probable that if somebody signed the PuTTY master keys then it meant that "I trust that this key belongs to the PuTTY team who create the trustworthy PuTTY software" since I wouldn't sign faulty software even if I knew that it came from a valid source. It would be nice if people would sign certificates with comments like this.

edit: Sorry, seems like I misunderstood your comment. For my defense you misunderstood mine too. I don't say HTTPS is more secure. I just don't have any practice in verifying keys using gnupg.

edit2:

download the source and build it yourself

I usually don't audit the source code I build from a random project. A compromised source code for me is as dangerous as a compromised binary (for me at least).

Downloading a file from multiple nations and comparing is more work that downloading it over HTTPS.