Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided.
i think the confusion stems from the fact that linux distributions such as Ubuntu provide a hash (SHA1, MD5, and SHA256 has) of the .iso file but what people miss is that they are also signing the hashes with a PGP key which you have to verify.
i believe they are doing it that way because it may not be possible to sign a 1-2 GB file (the .iso) with a PGP. so they provide hashes the sign them with their key.