True, but nothing holds a candle to a full GPG verification of Thomas' signature, which he places on every official release.
Yeah, but that doesn't help people if they aren't on the right website or don't have ThomasV's signature since the fake websites also publish fake GPG signatures.
If THEY don't have Thomas' GPG public key on their keyring they are not verifying anything! Any fake signatures are beyond worthless if compared with Thomas' actual fingerprint verified key. This is basic stuff.
Another sub standard to GPG solution would be to verify Electrum's site certificate number in the url before downloading any files. In the case of electrum dot org the correct and ONLY actual fingerprint would reflect the following sha256: D0:9E:C1:85:9C:CF:85:4A:42:C1:48:38:8D:33:43:0C:4F:23:77:A3:BB:F3:DE:92:51:9F:0E:6F:E8:63:DE:C6
If you don't see this fingerprint while logged into what you assume is Electrum you are NOT on the official site. A middle man cannot replicate this fingerprint without PWNing the private key and that is unlikely. Still GPG is somewhat better and the final acid test.