How to verify the digital signatures of a downloaded file

Usually the software vendors publish the Signature file. For e.g. the signature file for Wireshark can be found here https://www.wireshark.org/download/SIGNATURES-4.2.6.txt

Now the signature can be verified on Mac by using the command "gpg --verify" 

gpg --verify /Users/user/Downloads/wireshark.asc.txt /Users/user/Downloads/Wireshark\ 4.2.6\ Arm\ 64.dmg

If the public key with which the signing is not done available to verify locally, it can generate the below error message 

gpg --verify /Users/user/Downloads/wireshark.asc.txt /Users/user/Downloads/Wireshark\ 4.2.6\ Arm\ 64.dmg

gpg: Signature made Wed Jul 10 23:58:50 2024 IST

gpg:                using RSA key 5A5ADBA7DBEA6C3F87224F1982244A78E6FEAEEA

gpg: Can't check signature: No public key

To add the public key, below can be used 

gpg --keyserver keyserver.ubuntu.com --recv-keys 0xE6FEAEEA 

The key Id will be published as well by the software vendor. For e.g. Wireshark has mentioned it here. 

Now the asc file may not be directly available. In this case, the provided signature file can be used to extract it. 

Note, most of the times gpg verify require a detached signature file, which can be obtained by just extracting the highlighted content.