+You @strong{have to} verify downloaded tarballs authenticity to be sure
+that you retrieved trusted and untampered software. There are two options:
+
+@table @asis
+
+@item @url{https://www.openpgp.org/, OpenPGP} @file{.asc} signature
+ Use @url{https://www.gnupg.org/, GNU Privacy Guard} free software
+ implementation.
+ For the very first time it is necessary to get signing public key and
+ import it. It is provided @url{PUBKEY-PGP.asc, here}, but you should
+ check alternate resources.
+
+@verbatim
+pub ed25519/0x3A528DDE952C7E93 2021-01-09
+ 7531BB84FAF0BF35960C63B93A528DDE952C7E93
+uid goredo releases <goredo@cypherpunks.ru>
+@end verbatim
+
+@example
+$ gpg --auto-key-locate dane --locate-keys goredo at cypherpunks dot ru
+$ gpg --auto-key-locate wkd --locate-keys goredo at cypherpunks dot ru
+@end example
+
+@item @url{https://www.openssh.com/, OpenSSH} @file{.sig} signature
+ @url{PUBKEY-SSH.pub, Public key} and its OpenPGP
+ @url{PUBKEY-SSH.pub.asc, signature} made with the key above.
+ Its fingerprint: @code{SHA256:ddOaswnUBtNbuoEBYQtfcF59sR3Bvzo9pIfSlw9sKx8}.
+
+@example
+$ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I goredo@@cypherpunks.ru -n file \
+ -s goredo-@value{VERSION}.tar.zst.sig < goredo-@value{VERSION}.tar.zst
+@end example
+
+@end table