You *have to* verify downloaded tarballs authenticity to be sure that
you retrieved trusted and untampered software.

Metalink4 file contains its OpenSSH signature.
=> PUBKEY-SSH.pub
=> PUBKEY-SSH.pub.asc
=> https://www.openssh.com/ OpenSSH
=> https://gnupg.org/ GnuPG
=> https://datatracker.ietf.org/doc/html/rfc5854.html Metalink4

[cm/signed/] .sig file can be verified with:
=> PUBKEY-CM.pub
=> PUBKEY-CM.pub.asc

    $ cat keks-$version.tar.zst.sig keks-$version.tar.zst |
        cmsigtool -v -d 4<PUBKEY-CM.pub
