verification-issue: .sig-file corrupt for Sia-UI

[johays]

I recently downloaded the Sia-UI from Github. I also downloaded the corresponding .sig-file.
Anyhow, I get an GPG-error when I try to verify:

$gpg --verify Sia-UI-v1.3.1-linux-x64.zip.sig
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

I've tried from different machines with different downloads from four different locations. Still, I get the same error.
I find it strange that software like this that deals with peoples money doesn't take signature-verification super seriously? There are some outstanding resources on how to do proper verification, like here and here. Why is there no proper documentation concerning verification of the software neither on Github or sia.tech? From a security-perspective I find this very troubling.

[lukechampine]

Signature verification was documented in the first release that we signed: https://github.com/NebulousLabs/Sia-UI/releases/tag/v1.0.3

I agree that this could be exposed more visibly, though. I'm sure you are not the first person to try to verify the key with gpg and be concerned when it failed. Perhaps we should add a section with the openssl verification command to the README.
I'm also open to switching to gpg. IIRC we're not locked in to openssl for any technical reason.

[lukechampine]

Signature verification was documented in the first release that we signed: https://github.com/NebulousLabs/Sia-UI/releases/tag/v1.0.3

I agree that this could be exposed more visibly, though. I'm sure you are not the first person to try to verify the key with gpg and be concerned when it failed. Perhaps we should add a section with the openssl verification command to the README.
I'm also open to switching to gpg. IIRC we're not locked in to openssl for any technical reason.