Integrity

You *have to* verify downloaded tarballs authenticity to be sure that
you retrieved trusted and untampered software. There are two options:

=> OpenSSH
    .sig ed25519 signature.
    => public key
    => its LibrePGP signature
    Fingerprint: SHA256:ddOaswnUBtNbuoEBYQtfcF59sR3Bvzo9pIfSlw9sKx8

    $ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I goredo@stargrave.org -n file \
        -s goredo-$v.tar.zst.sig <goredo-$v.tar.zst

=> Metalink4
.meta4 file contains both LibrePGP and OpenSSH signatures.

=> KEKS/CM
    .cm quantum resistant SLH-DSA signature.
    => public key
    => its LibrePGP signature

    $ fpr=$(kekspp -v -p /data/id <PUBKEY-CM.pub)
    $ echo $fpr
    DB81E5A01871AA5715DD1AEBC2E712D8D31EAA088F3030427CAEF8CDEC9D15E1
    $ mkdir -p pubs
    $ ln -s ../PUBKEY-CM.pub pubs/$fpr
    $ cat goredo-$v.tar.zst.cm goredo-$v.tar.zst | cmsigtool -v -d -pubs pubs