Preferable way is to download tarball with the signature from
website and, for example, run tests with benchmarks:

@verbatim
$ [fetch|wget] http://gocheese.cypherpunks.ru/gocheese-2.2.0.tar.xz
$ [fetch|wget] http://gocheese.cypherpunks.ru/gocheese-2.2.0.tar.xz.sig
$ gpg --verify gocheese-2.2.0.tar.xz.sig gocheese-2.2.0.tar.xz
$ xz -d < gocheese-2.2.0.tar.xz | tar xf -
$ make -C gocheese-2.2.0 all test
@end verbatim


You have to verify downloaded tarballs integrity and authenticity to be
sure that you retrieved trusted and untampered software. GNU Privacy
Guard is used for that purpose.

For the very first time it is necessary to get signing public key and
import it. It is provided below, but you should check alternative
resources.

    pub   rsa2048/0xCD5CD01F55343D88 2019-12-08 [SC]
          9B27640BA78437EC6D4ACA6CCD5CD01F55343D88
    uid   GoCheese releases <gocheese@cypherpunks.ru>

    Look in PUBKEY.asc file.

    $ gpg --auto-key-locate dane --locate-keys gocheese at cypherpunks dot ru
    $ gpg --auto-key-locate wkd --locate-keys gocheese at cypherpunks dot ru