You *have to* verify downloaded tarballs authenticity to be sure that
you retrieved trusted and untampered software. There are three options:

=> LibrePGP
    .asc ed25519 signature.
    => GNU Privacy Guard
    => public key

    pub   ed25519/0x3A528DDE952C7E93 2021-01-09
          7531BB84FAF0BF35960C63B93A528DDE952C7E93
    uid   goredo releases <goredo@cypherpunks.su>

    $ gpg --auto-key-locate dane --locate-keys goredo at cypherpunks dot su
    $ gpg --auto-key-locate  wkd --locate-keys goredo at cypherpunks dot su

=> OpenSSH
    .sig ed25519 signature.
    => public key
    => its LibrePGP signature
    Fingerprint: SHA256:ddOaswnUBtNbuoEBYQtfcF59sR3Bvzo9pIfSlw9sKx8

    $ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I goredo@cypherpunks.su -n file \
        -s goredo-$v.tar.zst.sig <goredo-$v.tar.zst

=> Metalink4
.meta4 file contains both LibrePGP and OpenSSH signatures.

=> KEKS/CM
    .cm quantum resistant SLH-DSA signature.
    => public key
    => its LibrePGP signature

    $ fpr=$(kekspp -v -p /data/id <PUBKEY-CM.pub)
    $ echo $fpr
    DB81E5A01871AA5715DD1AEBC2E712D8D31EAA088F3030427CAEF8CDEC9D15E1
    $ mkdir -p pubs
    $ ln -s ../PUBKEY-CM.pub pubs/$fpr
    $ cat goredo-$v.tar.zst.cm goredo-$v.tar.zst | cmsigtool -v -d -pubs pubs