Verify download, signed installation package

This is an incredible program but I would really love to be able to verify the installer once I’m download it. The reason is simple : one can never know if, for brief moments, the installer gets compromised with another one which has malicious code embedded into it.

I reckon that this probably never happened before, but I think that adding another layer of security to an app that will hold such important and personal information for sure it’s beneficial right?

If those keys are already available, I wasn’t able to find them after some googling…

See Releases · buchen/portfolio · GitHub - there are the download-files and the asc

$ gpg1 --verify PortfolioPerformance-0.56.3-linux.gtk.x86_64.tar.gz.asc
gpg: die unterzeichneten Daten sind wohl in 'PortfolioPerformance-0.56.3-linux.gtk.x86_64.tar.gz'
gpg: Unterschrift vom So 09 Jan 2022 20:49:07 CET mittels RSA-Schlüssel ID 560C95AC
gpg: fordere Schlüssel 560C95AC von hkps-Server keys.openpgp.org an
gpg: Schlüssel 560C95AC: Öffentlicher Schlüssel "Buchen Andreas <andreas.buchen@gmail.com>" importiert
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:                              importiert: 1  (RSA: 1)
gpg: Korrekte Unterschrift von "Buchen Andreas <andreas.buchen@gmail.com>"
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg:          Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck  = E46E 6F8F F02E 4C83 5690  8458 9239 277F 560C 95AC