On the GrapheneOS release page download the appropriate file and signature. As of writing the files for a Pixel 3a are
WARNING: You must use the correct files for your device or you risk bricking the phone. Please use files intended for your device.
Now, obtain the GrapheneOS public key. Next, verify the file contains
untrusted comment: GrapheneOS factory images public key RWQZW9NItOuQYJ86EooQBxScfclrWiieJtAO9GpnfEjKbCO/3FriLGX3
Now for Debian/Ubuntu/Linux Mint install signify-openbsd if it's not on your system.
Then in a directory with factory.pub, the .zip and .zip.sig files type:
If there is no output the signature is valid.