Comment # 1 on bug 1010108 from Neil Rickert

That's not really a bug.  It is more of a feature.

The "sha256" file containing the checksum is signed with a gpg signature. 
Those 14 lines are the gpg signature.

You can edit that file, and delete the gpg signature if you want to.  That will
avoid the message.  I prefer to leave the gpg signature there, and to check
with
  gpg --verify filename.sha256
to check that I have the correct sha256 file.  So I just ignore that message
about "improperly formatted" lines.