You *have to* verify downloaded tarballs authenticity to be sure that
you retrieved trusted and untampered software. OpenSSH .sig signature
[PUBKEY-SSH.pub] and its OpenPGP [PUBKEY-SSH.pub.asc] made with the key
above. Its fingerprint: SHA256:qmlbyzvDRNXGJNxteapAWOmJRrBrZ7afLsEqr36M6kA.

=> https://www.openssh.com/ OpenSSH

$ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I vors@stargrave.org -n file \
    -s vors-$version.tar.zst.sig <vors-$version.tar.zst
