The Problem
A GPG signature file (*.asc) is linked to on libevent.org, but I'm not sure how to use it.

What I Tried
1.

gpg --import libevent-2.1.12-stable.tar.gz.asc
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

Note, inspection with vim shows a sensible looking GPG signature (I guess).

-----BEGIN PGP SIGNATURE-----

iQEzBAABCAAdFiEEnjrIOieXS4TRs0AduGCGhI74aG0FAl8BwzYACgkQuGCGhI74
aG31WAf/ZNi3PMWw/N6L03Ga4jD3HVPjfY60zGM3MAIT//4hyEhSBfdvutSawt/R
GLOFXAEpdVWi6tojKiKUPKco9mEkLUcY9C/ZTosD1F8tXGM1IEogK7AMrJo8hg1/
4fW3tnIiU6JFcuPTIL1a5ReaOPhUCfDiikqx6LkWYuh8fNn2iKcG4Ev6NaSTqGaE
sQyshQb0Y1yYSImSjEJQr32d4JxN0z4n03aHruMJ4MHZhrUDzhmQbqLh0KQYybP5
G9jmeUqMMQJzlTLn1xCIrQehUeUVKg+WtXfDvWKfbSCyRVJfWO3RsHQvzoyflzuj
Nor16y9qAleMVO4i0kHfhGuyCEwx+Q==
=nkKm
-----END PGP SIGNATURE-----

2. Googled + stack exchange sites:
   https://serverfault.com/questions/896228/how-to-verify-a-file-using-an-asc-signature-file
   https://unix.stackexchange.com/questions/184947/how-to-import-secret-gpg-key-copied-from-one-machine-to-another

What I expected
Honestly, I more of expected a SHA256 hash to be posted. Though I understand if the server hosting the website is compromised, then the hash could be changed to match a malicious tarball. Although, in the case of a compromise of the web server, I'd think the *.asc file could also be changed to a malicious executable...

Maybe how to use the .asc to verify the download could be added to the Documentation/.md?