You *have to* verify downloaded tarballs authenticity to be sure that
you retrieved trusted and untampered software.

=> OpenSSH
.sig ed25519 signature.
=> public key
=> its LibrePGP signature
Fingerprint: SHA256:/Z3T/T2sXaaunefAL6tz3ZykHTDYIMh5TLd9Hh9mxlU

    $ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I pygost@stargrave.org -n file \
        -s pygost-$v.tar.zst.sig <pygost-$v.tar.zst