The linux kernel archive public key (which is needed to verify the signature) is well known and many people have it's own copy for several years. But if the atacker gained access to the private key, he would be able to sign trojanized tarballs without anybody noticing. On the one hand kernel.org page doesn't mention this kind of breach and the key is still used, on the other hand there are rumors (https://lwn.net/Articles/457142/) that the private key was available on the compromised server so that the atacker could produce trojanized tarballs with proper signature - but I find it unlikely because the kernel.org admins doesn't warn users about it and haven't changed the key.
