• Obtaining the checksum of the tarball
• Obtaining the release commit and signature
• Verifying the signature of the commit
• Generating the tarball from the verified tag
• Conclusion