FWIW, this reasonable request can be accommodated without necessarily setting up HTTPS on the download site. The devs could post the checksums on a distinct, 2FA-protected HTTPS site like Twitter, for example [1]

[1] https://twitter.com/coreinsiderprog/status/69213854723989504...

Wouldn't it be easier to just setup an automated Let's Encrypt set up and avoid depending on a third party website?

In any case, they could also just include the keys somewhere in trueos.org, which does support HTTPS.