You *have to* verify downloaded tarballs authenticity to be sure that
you retrieved trusted and untampered software.

Metalink4 file contains its OpenSSH signature.
=> PUBKEY-SSH.pub
=> PUBKEY-SSH.pub.asc
=> OpenSSH
=> GnuPG
=> Metalink4

[cm/signed/] .sig file can be verified with:
=> PUBKEY-CM.pub
=> PUBKEY-CM.pub.asc

    $ cat keks-$version.tar.zst.sig keks-$version.tar.zst |
        cmsigtool -v -d 4<PUBKEY-CM.pub