Clean up the verifying-signatures page, explain trust chains
From #4069 (closed):
The section on checking the signature doesn't teach the user anything about what GPG actually does. We might as well just ship them SHA-1 hashes of the download files. We should plan to clean up the verifying-signatures page to explain trust chains, and extract key points from it into an updated version of this text.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information