>HTTP downloads are still fine in 2025 though, putty releases all come with signatures that can be used to check if anything was tampered with.

1) People don't check, and 2) the root of trust for those signatures is almost always the same HTTP source as the download!

In contrast, package managers do check, and they have a root of trust at least from install time.