for example here they put a gpg signature to verify what you download is what they really made. but why they just don't put a SHA256 hash value ? because its much more faster to check it and sometimes gpg may not be installed on our machine but SHA is something everywhere available also you even can upload the file on virustotal.com and it give you the hash !
if hash is secure why they use gpg if is not secure why we use hash values for everything ?
When you check the hash value, you have to check it against a reference hash value: this does not solve the problem, just moves it around. You still have to make sure that you got the correct hash value. If the hash value is obtained through the same channel as the software package (i.e. you both got them from a HTTPS Web page), then you have gained nothing against attackers: if the attacker could alter the package, then he could also recompute the hash and alter the hash value you obtain so that you would not see any problem. Typically, someone who hijacks the download server itself.
Hash values "alone" are good at detecting random transmission errors (e.g. a router with bad RAM), not intentional alterations.
Digital signatures offer an enhanced service: they link the package to the individual who produced it, regardless of intermediate servers. With a GPG signature, you can download the package from a shady mirror site and still do not have to fear the package being bugged.
As for performance, know that signature verification will have the same cost as computing a hash, plus an extra mathematical operation which even an asthmatic PC should be able to do within a few milliseconds. I seriously doubt you could actually observe that extra cost.
Hashes provide a service to ensure integrity of something. It is only reliable if you can be sure that you obtained this hash value from a trusted source, which that can not be altered or masqueraded.
(GPG) digital signatures combine a hash with a cryptographic process which ensures not only the integrity of the signed message (file, mail, ...) but also the authenticity of this message. By mean of these digital signatures (usually asymmetric cryptography), you can be sure that the content you checked has not been tampered with and has been issued by the owner of the key (who has access to the private key).
However, digital signatures share the same fate has simple hashes: the chain of trust. You can only be sure that this signature is okay if you can guaranty the public key you use to check the message belongs to the "real" person and not a fake one (like a hacker).
Finally, each process is as secured as the trust you can grant to the "key" element (the hash, the public key). Hashes are not better than signatures, they simply do not serve the same purpose (hashes: integrity / signatures: integrity + authentication).
With gpg it verifies that only the person with the matching private key could have generated the signature. With just a hash check anyone could have generated the hash, the could have replaced the hash on the download page with one that matches the binary they've just uploaded. The only thing a hash check alone allows is to verify that a mirror is providing the same file as the download page that sends you to the mirror says and that it didn't suffer accidental corruption during the transfer.
I would like to add that part of the signature algorithm gpg does is to hash the file with cryptographic hashing algorithm like sha256 and is exactly how cryptographic hashing algorithms like sha256 are supposed to be used.
