Looking at how the mirrors for all the openssh distros are laid out, I don't see much point in trying to verify them using PGP unless you've previously imported it. Each mirror contains the public key, the file, and the signature in the same directory, so any first-time downloader could get a tainted distribution with an "authentic" signature. If somebody did manage to find a way to hack a mirror, they could easily copy over their public key, hacked file, and signature. At the very least, the public key needs to be kept on a different set of [secure] servers, possibly even with an MD5 of the public key sitting on a third server just to make it all the more difficult to falsify authentication.
I haven't looked lately, is this a common practice with mirror sites and PGP signing distributions? If so, it seems to eliminate the purpose PGP signing was originally intended for.
