You @strong{have to} verify downloaded tarballs authenticity to be sure
that you retrieved trusted and untampered software. There are two options:

@table @asis

@item @url{https://www.openpgp.org/, OpenPGP} @file{.asc} signature
    Use @url{https://www.gnupg.org/, GNU Privacy Guard} free software
    implementation.
    For the very first time it is necessary to get signing public key and
    import it. It is provided @url{PUBKEY-PGP.asc, here}, but you should
    check alternate resources.

@verbatim
pub   rsa2048/0xE6FD1269CD0C009E 2016-09-13
      F55A 7619 3A0C 323A A031  0E6B E6FD 1269 CD0C 009E
uid   PyGOST releases <pygost at cypherpunks dot ru>
@end verbatim

@example
$ gpg --auto-key-locate dane --locate-keys pygost at cypherpunks dot ru
$ gpg --auto-key-locate  wkd --locate-keys pygost at cypherpunks dot ru
@end example

@item @url{https://www.openssh.com/, OpenSSH} @file{.sig} signature
    @url{PUBKEY-SSH.pub, Public key} and its OpenPGP
    @url{PUBKEY-SSH.pub.asc, signature} made with the key above.
    Its fingerprint: @code{SHA256:/Z3T/T2sXaaunefAL6tz3ZykHTDYIMh5TLd9Hh9mxlU}.

@example
$ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I pygost@@cypherpunks.ru -n file \
    -s pygost-@value{VERSION}.tar.zst.sig < pygost-@value{VERSION}.tar.zst
@end example

@end table