Since asking these questions, I've been informed that downloadable tarballs could have been trojaned and then signed by the intruder on hera, implying that the private signing key + passphrase are normally present there.
In that light, the presence of *.sign files published alongside the tarballs isn't useful for ensuring security integrity of source tarballs on kernel.org. It's useful only for making sure that kernel.org mirrors correctly track the upstream site. Kernel tarballs on kernel.org can be vetted by generating them from an sha1-vetted git repo checkout, but that is currently the only way to check their integrity.
I'm a little surprised at that. Those *.sign files and the published Linux Kernel Archives OpenPGP key thus end up, IMO, being a little misleading.