Developer Program Member shisel. asked :
"Hello, I am attempting to verify a downloaded toolchain package/archive for the AArch64 bare-metal target (aarch64-none-elf), which is listed on the ARM GNU Toolchain Downloads page (https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads).
aarch64-none-elf
The relevant files in my case are: arm-gnu-toolchain-14.2.rel1-mingw-w64-x86_64-aarch64-none-elf.zip arm-gnu-toolchain-14.2.rel1-mingw-w64-x86_64-aarch64-none-elf.zip.asc arm-gnu-toolchain-14.2.rel1-mingw-w64-x86_64-aarch64-none-elf.zip.sha256asc
arm-gnu-toolchain-14.2.rel1-mingw-w64-x86_64-aarch64-none-elf.zip
arm-gnu-toolchain-14.2.rel1-mingw-w64-x86_64-aarch64-none-elf.zip.asc
arm-gnu-toolchain-14.2.rel1-mingw-w64-x86_64-aarch64-none-elf.zip.sha256asc
However, I have been unable to locate the corresponding GPG public key necessary for signature verification. I have searched extensively — including the download page itself, the broader Arm website, Google — but have not found any reference to it. That means the signature (.asc) file has nothing to be verified against. Could you please provide guidance on where the relevant GPG public key can be found? If I have overlooked something, I would appreciate clarification. Thanks!"
Developer Program Member IanArkver gave the answer :
"The asc files are md5 and sha256 hashes, not GPG signatures. The Release Notes on the same page have a section called "Verifying the downloaded packages" with details on how to use them."
If you are facing a similar issue, feel free to ask in the support forum here!