Quicklisp still doesn't support HTTPS, which is apparently also necessary to do signature check.

Use HTTPS instead of HTTP - https://github.com/quicklisp/quicklisp-client/issues/167

Indeed, while you can use ql-https for, well, HTTPS, it's not the easiest thing to install (especially if you want to put everything somewhere else than ~/common-lisp/) and adding other distributions (like, say, Ultralisp) is a bit finicky.