So a FOSS project might have signed releases with a GPG sig. How do you verify it on a Linux machine?
Example sigp/lighthouse, but same idea for any project.
Install gpg: sudo apt install gpg
Grab their PGP key ID from their download page and
gpg --keyserver pgp.mit.edu --recv THEIRKEYID
and wait