To be honest, I have never checked signatures until today. Already downloaded Kleopatra (a couple of times) and started the process (with the help of a how-to tutorial) but always gave up halfway.
I am sure, I have failed every time because is just not easy to set up PGP and I wasn't needed it very badly, for example, to secure all my BTC holdings. In such circumstances, I would do it for sure, no matter how time-consuming and complicated it could be.
well it is a matter of how you value your own security. sometimes we have to endure the complicated process to reach the high security we need. it doesn't come cheap.
with that said i am a windows user and have only verified signature on windows once. i didn't like Kleopatra either. but i did a workaround, i used Ubuntu. download verify Ubuntu signature and now i have that for easy verification each time i download a new software.
This is not the first time we have problems with malicious links to wallets on the web and here on Bitcointalk.
it is probably the biggest attempt but certainly not the first. there has been a lot more in the past, i myself have reported at least 10 or 12 malicious repositories on github trying to fool people into thinking they are downloading the "real" electrum from the "real repository"!
Still, I haven't heard about signatures check using PGP, until a couple of months ago, ...
I think, the best way to handle this is an informational campaign...
from 2016:
https://bitcointalk.org/index.php?topic=1588906.0a good idea to inform others as much as we can, but still the information is already out there, users must look for it themselves.