Use gpg to verify that the release archive has not been altered.

For example:
gpg --verify patroneo-2.3.0.tar.gz.sig patroneo-2.3.0.tar.gz