Clean up the verifying-signatures page, explain trust chains
From #4069 (closed):
The section on checking the signature doesn't teach the user anything about what GPG actually does. We might as well just ship them SHA-1 hashes of the download files. We should plan to clean up the verifying-signatures page to explain trust chains, and extract key points from it into an updated version of this text.