Just a quick copy for https://github.com/caddyserver/devportal/issues/2 : it seems that downloads on Caddy’s website are double gzipped, and the GPG signature is made against the first gzip:
Download "https://caddyserver.com/download/linux/amd64?plugins=http.cors,http.expires,http.filemanager,http.filter,http.minify,http.ratelimit,http.realip" You get a "gzip > gzip > tar" instead of a "gzip > tar" file. The GPG signature (https://caddyserver.com/download/linux/amd64/signature?plugins=http.cors,http.expires,http.filemanager,http.filter,http.minify,http.ratelimit,http.realip) will successfully verify the signature of the gzip file inside the first archive. So you'll need to gunzip once without being able to check the signature, then gpg --verify, and then tar -xvf to gunzip + untar.
This does not seem to be a problem in Chrome or curl or wget. So might be a Firefox quirk.
Would someone get any idea on what is happening?