Use gpg to verify that the release archive has not been altered. For example: gpg --verify patroneo-2.3.0.tar.gz.sig patroneo-2.3.0.tar.gz