kernel.org no longer centrally signs submissions

Just to be clear, an automatic signature _only_ tells you that the bits passed through kernel.org. If you download from kernel.org then it tells you exactly nothing. I'm not sure why you mention ssl, it seems that ssl provides a higher level of assurance and what ssl provides is pretty lame.

Auto signing doesn't provide any more verification than an md5sum file which would probably be a better choice. When signatures are used people often assume a higher level of verification than really exists. Usually when releases are signed the private key is not publicly accessible and is on a separate device that only release approvers have access to, an offline workstation or smart card for example. That procedure can be a higher level of assurance that the bits you have are the right ones