Is there a guide for verifying the PGP signatures? For example, if one looks at this webpage you'll notice at the bottom there are sha256sums sha256sums.asc and sha256sums.sig
Generally I would download sha256sums and sha256sums.asc and then run gpg --verify sha256sums.asc sha256sums.txt to confirm the validity.
What is sha256sums.sig used for?