How to cryptographically verify the authenticity and integrity of Android Studio releases (with gpg?)

For a given Android Studio release published by Google, how can I cryptographically verify the authenticity and integrity of the .tar.gz file that I downloaded before I copy it onto a USB drive and attempt to install it on my laptop? Today I wanted to download Android Studio, but the download page said nothing about how to cryptographically verify the integrity and authenticity of their release after download. https://developer.android.com/studio#downloads I expected to see a message on the download page telling me: 1. The fingerprint of their PGP release signing key, 1. A link to further documentation, and 1. Links to [a] a manifest file (eg SHA256SUMS) and [b] a detached signature of that manifest file (eg SHA256SUMS.asc, SHA256SUMS.sig, SHA256SUMS.gpg, etc) Unfortunately, the only information I found on the download page was how to verify the integrity of the tarball using a SHA-256 checksum found in a table on the same page. Obviously, this checks integrity but not authenticity. And it provides no security because it's not out-of-band from the .tar.gz itself. How can I preform cryptographic integrity and authenticity verification with Google's Android Studio releases?