My theory is this:

Find public key of the developer right from them or from clearly official repository of the project (for example on Github/Gitlab etc.).

In case of Electrum Bitcoin wallet, i guess these are recent .asc files at
Because many people was talking about ThomasV.asc file being main developer's one, i have downloaded it (it has to be raw file, not a webpage):

cd /path/to/downloadedfile/
wget -q # download file with an official public key
gpg --import ThomasV.asc # import that key
gpg --verify electrum-4.4.6-x86_64.AppImage.asc electrum-4.4.6-x86_64.AppImage # verify certain signature against certain file
It may return various confusing messages like:
Can't check signature: No public key
WARNING: This key is not certified with a trusted signature!

but at the end i guess what matter (assuming we imported official public key) is the part which says:
Good signature
Bad signature

Please correct me if I am wrong.