Use gpg to verify that the release archive has not been altered. For example: gpg --verify patroneo-1.4.1.tar.gz.sig patroneo-1.4.1.tar.gz