It is my understanding that when file is signed with gpg the signature will provide 2 guarantees, a proof of ownership of the signature and the integrity of the signed data.
lets say I have a doc.txt I want to sigh, so I use:
gpg --output doc.sig --detach-sig doc.txt
but I see that many software destitution use a slightly different scheme to provide the same guarantee using extra step.
instead of signing doc.tx directly with gpg a checksum of doc.txt is created and then this checksum is signed with gpg.
So why add this extra step with the checksum file?