I’m still wrapping my head around all the ways you can verify with GPG.
This one makes no sense to me.
So in the documentation, we’re validating the sha256sum.sig and the sha256sum, confirming the sig came from Meissner. But this verification doesn’t touch the firmware file we’re actually installing on the system.
How does this prove that the file is correct? Is it simply because it was uploaded on the same date as the shasum.sig and shasum?
I guess you refer to this link. Please state your documentation you refer to the next time.
The sha256sum contains the following:
64e27e552e102e5bb3826116b9758e0ffac1d1e20748ee3e668c7a97f9cf1599 firmware-nitropad-ns50-v2.5.0.npf
d06b6b24abe532b9620d571be865177e1c0a3b29bd892d2305017aa610eec420 firmware-nitropad-ns50-v2.5.0.rom
c1bca7ecfc881faa5b16a6dac8fc253000c9a245f2b47b93d2791e93d18a5e18 firmware-nitropad-ns50-v2.5.0.zip
…
A checksum of all the files and the filename.
You are correct that with the procedure in the documentation only the origin and validity of that file is protected by the gpg signature.
There are multiple ways to verify the sha256sum depending on OS and preference. You could search in the file the name of your downloaded firmware file, calculate the sha256sum with the tool of your choice and compare it.
On Linux or Windows with Cygwin or GitBash, you could do the following:
sha256sum -c sha256sumfile --ignore-missing --quiet --check downloadedfile
This should be added to the documentation.