They don't publish it. You will need to verify the PGP Signature, which is not that hard.
1. Import ThomasV's pubkey:
gpg --keyserver pool.sks-keyservers.net --recv-keys 0x2BD5824B7F9470E6
2. Verify if it's imported:
gpg --fingerprint 0x2BD5824B7F9470E6
3. Download the signature file on the
website.
4. Verify with:
gpg --verify signatureFile.asc ElectrumFile.tar.gz
When trying to to that I get this:
gpg --verify electrum-3.2.2-setup.exe.asc electrum-3.2.2-setup.exe
gpg: Signature made Пан 02 Ліп 2018 10:12:08 +03 using RSA key ID 7F9470E6
gpg: Good signature from "Thomas Voegtlin (
https://electrum.org) <
thomasv@electrum.org>"
gpg: aka "ThomasV <
thomasv1@gmx.de>"
gpg: aka "Thomas Voegtlin <
thomasv1@gmx.de>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
What does this warning mean?