but he kept the original signature file in this case even if you verified the signature file you will lose your btc since the hacker kept the original file
and only changed the electrum.exe file to his fake version
The PGP fingerprint will definitely be different, and the hacker cannot impersonate that, only create a new fingerprint.
Also, if you have you used your own PGP key to trust the original Electrum signing key, then when you try to verify a binary signed by a malicious PGP key then the program will display a warning during verification: "Warning: this key is not trusted" or words to that effect.