The fake sites have hashes for the fake versions so there is no point in verifying hashes
The fake sites have signatures for the fake versions so there is no point in verifying signatures
Which is exactly why you use a well known PGP key[1] (pre-setted up) with a trusted fingerprint. You dont donwload a raneom PGP key from the website you are downloading the unknown software and use it to verify a signature.
Are you even reading what you are saying?
[1]
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6