grub: verify_detached

 16.3.79 verify_detached
  -- Command: verify_detached ['--skip-sig'] file signature_file
      Verifies a GPG-style detached signature, where the signed file is
      FILE, and the signature itself is in file SIGNATURE_FILE.
      Optionally, a specific public key to use can be specified using
      PUBKEY_FILE.  When environment variable 'check_signatures' is set
      to 'enforce', then PUBKEY_FILE must itself be properly signed by an
      already-trusted key.  An unsigned PUBKEY_FILE can be loaded by
      specifying '--skip-sig'.  If PUBKEY_FILE is omitted, then public
      keys from GRUB's trusted keys (⇒list_trusted, ⇒trust,
      and ⇒distrust) are tried.
      Exit code '$?' is set to 0 if the signature validates successfully.
      If validation fails, it is set to a non-zero value.  ⇒Using
      digital signatures, for more information.