This little snippet helps you understand the basics of verifying files with their GPG signatures (.asc)
# download the keys from key-server (command can be different) gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org # export the keyring given the public key (in this case: EF6E286DDA85EA2A4BA7DE684E2C6E879328290) gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E879328290 # verify the xz file against the corresponding xz.asc signature file gpgv --keyring ./tor.keyring tor-browser-linux64-9.0.6_en-US.tar.xz{.asc,}