From my understanding, except we meet the creator of an archive in person and verify the primary key fingerprint, we can never be sure, that the archive we download is really created by the person we think it is. Therefore gpg warns us that:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
In case of this warning it is recommended to verify the primary key fingerprint with the issuer of an archive. However this is very impractical. Alternatively, could we download an archive and its corresponding signatures over two separate channels, i.e. normal web and TOR and verify if the primary key fingerprint is the same? If it is the same could we assume that it has not been tampered?