You have to check downloaded archives integrity and verify their signature to be sure that you have got trusted, untampered software. For integrity and authentication of downloaded binaries GNU Privacy Guard is used. You must download signature (.sig) provided with the tarball.
For the very first time you need to import signing public key. It is provided below, but it is better to check alternative resources with it.
pub rsa2048/0xBE033FCAB6C7005D 2020-09-01
8D99 FD69 B6A7 98B2 43B9 3A36 BE03 3FCA B6C7 005D
uid gostipsec releases <gostipsec at cypherpunks dot ru>
$ gpg --auto-key-locate dane --locate-keys gostipsec at cypherpunks dot ru $ gpg --auto-key-locate wkd --locate-keys gostipsec at cypherpunks dot ru
-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBF9OVP4BCAC5W2c/6ogp97zqMC0P9tCO2ZdNmGwv5Ig/D3gq1zZhoTUta95r qiPbohjxZt/WFNQvKhcC3u7cjEJFbfqtDmOM/BimIPOCWIwq6fsu52UQ1e9JNYTv C16xjP1dELgIddT1qHEQ8fKMiA/6jU+HYapzm2O+deThh8J/Chy7QUlTxuX0jLGD NJC+vXJUvkteqLtOcMUFWV+paAMjYxaUR7Z1Lyx95JHAjPR+itXxqhV129/AsARU 8l/nY8OyiMhYL7hZ+iEFsEZYSxwKKIl97ToojxfSl3gDJLrzTlt/cmziygMaZPPP vEh61//5f4ik8tbVmrLpj0A/ASOSPWAHUA2dABEBAAG0LWdvc3RpcHNlYyByZWxl YXNlcyA8Z29zdGlwc2VjQGN5cGhlcnB1bmtzLnJ1PokBVwQTAQoAQQIbAwwLCgkN CAwHCwMEAQIHFQoJCAsDAgUWAgEDAAIeAQIXgBYhBI2Z/Wm2p5iyQ7k6Nr4DP8q2 xwBdBQJfTlVEAAoJEL4DP8q2xwBdgLAH/iTEX3Io26f70s+i1NMX5hnLrMU2UGzy fsS69SCOYF/HTr5izTiehqOsfNyEWCFrTpp/odA36UkeUG8kVe5cNAC6R+W2CftU gJns9m9sVBqvh5PpP81/5ke/WwfhVW3XN0z9LePohozxLGoFbIByTWKqZ6OddmAb eZ4ovMAHLDTwIS0Bx573amPvmEmeASI8fIhCgE25R5GXjRJHHl/qhBDeKQ8obZEz oWht35lgqAZe35EwfNSsqUc8yDlGxhEb43XFcdgTSMOQ9ogEpm2K30loNGIjsLND axAZmKSzQZN/HH8pexcgH5q4j3EO7pb9q0yQsL0s4LFV/2KNOP/TPSmIdQQQEQoA HRYhBM9g6JpZIx524mNkIq4agQnkmFfvBQJfTlXAAAoJEK4agQnkmFfv3PsA/iEb fFb0OlzZJRZKzDz5LTUtgYiXS1Bcf7MFKlpWqVm/AP44MrgGMx+p4VSrGDN6sUT3 NRqknlZiXZNRLzQAuY1zWA== =D1tY -----END PGP PUBLIC KEY BLOCK-----
Then you could verify tarballs signature:
$ gpg --verify gostipsec-v1.0.0.tar.zst.sig gostipsec-v1.0.0.tar.zst