well, it needs to start with verifying the tool before verifying other things. 🤓

and in this case, the software didn't sign too? and how can I tell is it sign or not? ( when do I need to do the sha256sum --check step )

Natalia

Ok haha, verifying the tool you use to verify is a funny special case. But very good idea and this gets deep and philosophical fast. 😔

> but it's showing one of the expired keys, I think it still meant the file is OK.

I also think so

> am I doing it correctly?  👀

Yes, you are doing great!
