"You can find the SHA256 checksums for xxx online and you can verify the checksums signature file which has been signed using xxx's GPG key"A SHA is a Secure Hash Algorithm (link), a one-way function of which it is difficult if not impossible to compute its inverse. I think its called an injective non-surjective function.
Anyway, online, we use SHA checksums to verify file integrity.
On Checksums...
For example: from the command line in the folder of the file you need to check thus:$ shasum -a 256 -c vagrant_1.8.1.dmgVerify manually by inspection with a published copy of the checksums e.g.
1bda0aed9691145a97cb5a8ae7b3492cc5e15a03 vagrant_1.8.1.dmg
vagrant_1.8.1_SHA256SUMS.txt
Or verify automatically if you have the published copy of the checksums file in the same directory as the file you need to check:
$ shasum -a 256 -c vagrant_1.8.1_SHA256SUMS.txt vagrant_1.8.1.dmg: OK
Using the example of GPGTools and downloading the GPG Suite for Mac as of today (https://releases.gpgtools.org/GPG_Suite-2015.09.dmg). Without having GunPG installed you need to verify the downloaded file using the checksum and comparing against the published value for that file (as of today) i.e. comparing the published value to that calculated by shasum
SHA-1: f1fd930144720e70bd4c809dd36ac0573b0a7be2
$ shasum GPG_Suite-2015.09.dmg f1fd930144720e70bd4c809dd36ac0573b0a7be2 GPG_Suite-2015.09.dmg
Further reading
gnupg.orgkp.mit.edu
www.openoffice.org
(New Section) Diving into virtual machines with VirtualBox and Vagrant
1. VirtualBox2. Vagrant