you mean that we can verify the electrum.exe file i thought what we can verify is the signature file .gz.asc since in this case the hacker can keep the original
You are confused about how signatures work.
The .asc file you verify contains a signature from a developer pointing to a specific file. The signature is generated using both the file in question and the developer's private key. If even a single byte in the file is changed, then the signature is no longer valid.
You can test this yourself by downloading the signatures for an older version of Electrum (such as
4.4.5) and trying to use those signatures to verify the latest version (4.4.6). Although the signatures are valid signatures from the devs, they will fail to verify because you are using them to verify a different file.
If an attacker uploads a malicious version of Electrum, then the signatures from the devs will not verify. If they replace the signatures with their own, then it will be obvious that it was not signed by the devs but by someone else.