Download .ISO file and .SIG file and save them in the same directory.
Check here to use the correct key ID and files, used key here is an example, it could change in the future.
Open a terminal in that directory and run:
gpg --recv-key CDF595A1
To trust the key run:
gpg --edit-key CDF595A1
In the GPG prompt, enter trust
It will ask you to enter a trust level number 1 the lowest, 5 the highest trust level.
If you fully trust the key (in case of EndeavourOS I do) enter 5
If you enter a lower number, the trust is still there but at a lower level. A warning will pop up saying this trust is only partial. This is to be expected as it depends on your trust level choice.
Enter will save, and exit gpg with quit
To verify the ISO itself, run:
gpg --verify EndeavourOS_Endeavour_neo-2024.09.22.iso.sig
This should output something like:
All done, you have now imported the key, set its trust level and verified the .ISO with the .SIG file.