Well, no, gpg signing cannot be done for rustup 1.0. It is literally impossible since 1.0 is released.
The reason I don’t consider signing a blocker for rustup 1.0 is because the current installers today are not properly verified either, so it is not a degradation in service (although rustup.sh will do verification, it does not guarantee it). For those who were manually verifying the signatures of the old installers, that option remains available.
I do believe that having proper end to end signing of all Rust artifacts is important, and I wish it was done by now, but it is not simply a matter of applying gpg to the problem. There are some details about the plan in this thread.
Edit: from re-reading your message @Manish I gather that you would like me to just retroactively publish sigs for these specific files, not generally solve signing for Rust installation. That’s technically possible, but I don’t think it achieves much security-wise. Since rustup itself downloads and installs executables, without verifying those signatures there’s still a bunch of unverified code running on your system. I’m not inclined to make such changes to the release process on the spot.