Besides checking the SHA256 hash, can anybody help me out in the procedure for verifying that I am getting the correct download and not being MITMed?
I have gpg installed. Where can I get the developer public key to run verify? Is there a sig file for the archive or do I just verify the SHA256 keys with the PGP signature embedded with the SHA sums? How is that done? Do I need to strip the sig out or can I do it directly?