Then the idea is that if SHA256SUMS, when checked with Kleopatra or whatever software you use, will give a valid signature for this file and this means that all sha256 of every file listed there is accurate, since I don't see a way how this could be gammed. It should be safe enough and having every individual file signed would be overkill I guess.
The signature verification method used by Bitcoin Core devs is as follows:
They provide a SHA256SUM file and another .gpg document of this SHA256SUM (SHA256SUM.asc) that signs the common SHA256SUM file, this document (SHA256SUM) contains the hashes of all versions of the Bitcoin Core binaries.
You can get the hash of a binary you downloaded using the examples (according to your operating system):
For example, for the .exe binary of version 28.1:
certUtil -hashfile bitcoin-28.1-win64-setup.exe SHA256
SHA256 hash of bitcoin-28.1-win64-setup.exe:
e48722e54b0ac61c296371aa940d61ff8fbc0a5a3f14fd41b3218179e73fff84
You can open the SHA256SUM file in a notepad and you will see that the above hash is listed according to the binary you downloaded, this is an effective check and ensures that you downloaded the correct file:
Linux:
gpg --verify SHA256SUM.asc
or
sha256sum --ignore-missing --check SHA256SUMS
In the output produced by the above command ensure the output lists "OK" after the name of the release file you downloaded. For example: bitcoin-28.1-x86_64-linux-gnu.tar.gz: OK
You can do these
hash checks with kleopatra.
If you have a file compression software, like 7zip (don't use winrar, as it’s not open source) which is open source. You can check the SHA-256 hash by right-clicking on the file, then find the
7zip option, it will list some options, then select
CRC SHA and choose either "SHA-256" to get only the SHA256 of the file or "*" to get other hashes besides sha256 like SHA1.
If you already have 7-zip installed on your host, you can simply just right click on the file and select the hashing algorithm. A window will pop up showing the calculated checksum.
