The idea is project page should provide clear steps to verify if the release is official.
I'm afraid I've no standard way of doing that, however it would be nice if you could mention the official PGP key ids in the Download section at https://www.jacoco.org/download.html

See also spring-projects/spring-framework#23434 (comment)

See also https://gitlab.ow2.org/asm/asm/issues/317884

Sample implementation for Apache JMeter: https://jmeter.apache.org/download_jmeter.cgi As you see, it refers KEYS file and links to the page with gpg commands to verify the signatures.

PS. I don't really expect that everybody would start verifying their downloads, however making the official key ID publicly available would help for automated verifications as well.