Thank you for sharing this secret. But what the hell is this nis-ncc-0.6.87.zip.sig file, there is no pgp signature.
The sig file contains the block height where a transaction was included and the transaction hash. With that you can go to nembex and display the transaction:
http://chain.nem.ninja/#/transfer/5bfe2979482cd9b5fa80de45c6d3a7bf18531aa63cde9a62d2696fcf863802a4The transaction has a hex message:
4e545903d11f394e5c7623755ca0f504fe7133c529f5c8261883469c54dd672276c0d82f
If you remove the first 4 bytes (8 chars) you should get the sha256 hash of the zip file.
That is my understanding.