-snip-
When I right click on that and Open with Kleo. I get from Kleo a window that says that SHA256SUMS has been verified with SHA256SUMS.asc and then I get a list of 10 signatures that could not be verified and the ability to import each of them from the key.
That's how the process should be.
You verified that the "
SHA256SUMS" file containing the hashes of Bitcoin Core binaries is legit by doing that.
So you can be certain that the hash that you're comparing to is correct.
For the 10 other signatures (
you mean certificates? the signature is the .asc file.),
It's because you haven't imported and certified the other public keys from the repo where you've downloaded the one you've previously imported.
But what happened to davidgumberg.gpg that I'm trying to verify? It seems like I'm dealing with apples and oranges and here I'm stuck.
That's a "
PGP public key" and it's not the one that you're verifying.
You've imported that to Kleopatra to make sure that the signature in the file "
SHA256SUMS.asc" is signed with it.