You're attempting to install a new release that contains new features. One of those features is cryptographically signed a) releases, b) snapshots, c) patches, and d) packages. All of these use the new
signify(1) program and related infrastructure, which for releases, snapshots, and packages, includes a signed checksum file SHA256.sig.
See FAQs 1.9, 3.5, 15.3.11, and the Upgrade Guide: 5.4 to 5.5.