Today our download pages allude to being able to verify artifacts, either through Sigstore (recommended) or GPG, however these instructions aren't as clearly documented as they could be and in theory we want everyone downloading from python.org to be taking advantage of one of these two options.

My proposal is to:

• Add an anchor to the download details page for GPG identities so it can be linked to directly.
• For all download detail pages:
  • Provide a link to the instructions for verifying with GPG
  • If there are Sigstore artifacts, also provide links to instructions for verifying Sigstore.
  • Recommend users using Sigstore over GPG when it's available.