The original instructions on how to verify the release signing key used
the `--list-sigs` option for gpg. However, unlike `--check-signatures`,
the `--list-sigs` option does not verify the authenticity of key
signatures.
See gpg2(1):
--list-signatures
--list-sigs
Same as --list-keys, but the signatures are listed too.
[...]
Note that in contrast to --check-signatures the key signatures
are not verified.
[...]
--check-signatures
--check-sigs
Same as --list-keys, but the key signatures are verified and
listed too.
[...]
This updates the documentation to use `--check-signatures` instead.
