You "have to" verify downloaded tarballs authenticity to be sure that
you retrieved trusted and untampered software. There are two options:

=> OpenSSH
    .sig ed25519 signature.
    => public key
    => its LibrePGP signature
    Fingerprint: SHA256:Akj/MCtxCjPphrgWub2BeChqHDhLMABTYLL/MzqTN+s

    $ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I gocheese@stargrave.org -n file \
        -s gocheese-$v.tar.zst.sig <gocheese-$v.tar.zst

=> KEKS/CM
    .cm quantum resistant SLH-DSA signature.
    => public key
    => its LibrePGP signature

    $ fpr=$(kekspp -v -p /data/id <PUBKEY-CM.pub)
    $ echo $fpr
    95D938DD9FFC1C9D5C5B83AFA47511AA1CDC94B09B248ADD0B5DCCF55CAFCA32
    $ mkdir -p pubs
    $ ln -s ../PUBKEY-CM.pub pubs/$fpr
    $ cat gocheese-$v.tar.zst.cm gocheese-$v.tar.zst | cmsigtool -v -d -pubs pubs