But the forged attacker's keys don't match the real dev's key signature. If you don't compare that the obtained key is actually the proper key, you miss an important step.
But, the attacker carries both the developers' public keys, the binaries / source code, and finally the signatures. Therefore, they have everything needed to alter the software effectively, without notice. For example, I can change Electrum's source code, replace Thomas' key with mine, replace the Thomas' signature with mine, and give it to you. How can you know I've compromised it?