You *have to* verify downloaded tarballs authenticity to be sure that
you retrieved trusted and untampered software.
Metalink4 file contains its OpenSSH signature.
=> PUBKEY-SSH.pub
=> PUBKEY-SSH.pub.asc
=> OpenSSH
=> GnuPG
=> Metalink4
[cm/signed/] .sig file can be verified with:
=> PUBKEY-CM.pub
=> PUBKEY-CM.pub.asc
$ cat keks-$version.tar.zst.sig keks-$version.tar.zst |
cmsigtool -v -d 4<PUBKEY-CM.pub