My theory is this:

Find public key of the developer right from them or from clearly official repository of the project (for example on Github/Gitlab etc.).

In case of Electrum Bitcoin wallet, i guess these are recent .asc files at https://github.com/spesmilo/electrum/tree/master/pubkeys
Because many people was talking about ThomasV.asc file being main developer's one, i have downloaded it (it has to be raw file, not a webpage):

Code:
cd /path/to/downloadedfile/
wget -q https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc # download file with an official public key
gpg --import ThomasV.asc # import that key
gpg --verify electrum-4.4.6-x86_64.AppImage.asc electrum-4.4.6-x86_64.AppImage # verify certain signature against certain file
It may return various confusing messages like:
Can't check signature: No public key
WARNING: This key is not certified with a trusted signature!

but at the end i guess what matter (assuming we imported official public key) is the part which says:
Good signature
or
Bad signature

Please correct me if I am wrong.