You "have to" verify downloaded tarballs authenticity to be sure that
you retrieved trusted and untampered software.

    $ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I gocheese@stargrave.org -n file \
        -s gocheese-$v.tar.zst.sig <gocheese-$v.tar.zst

There is
=> OpenSSH .sig signature
=> its public key
=> its LibrePGP signature
Its fingerprint: SHA256:Akj/MCtxCjPphrgWub2BeChqHDhLMABTYLL/MzqTN+s