It is highly recommended to verify the signature of the tarball. You will need the OpenBSD tool ‘signify(1)’ for this. Many distributions provide a package for it, if you are using a Carbs Linux host, you can also install the package ‘otools’ which provides ‘signify’. Download the signature first.
wget $URL/carbs-rootfs.tar.xz.sig
The signature file should say something similar to
untrusted comment: verify with carbslinux-2023.02.pub RWTe38zmx+iyuKEL5T84MJ5Y24jqenkTtQLJxbaMzOBS/NkGVl5J+Vn2B6vTV/gJK7LYBPS+IOXV5sEf+YLGCMcBYAGHCcP4xQ8=
Grab the key (which probably should be the latest one) that is written on the file from https://dl.carbslinux.org/keys/ so you can verify the signature. The latest Signify public key is also available on the package repository, so you can check the validity of the public key from multiple locations, or just copy paste that portion to a file and use that instead.
PUBKEY=carbslinux-2023.02.pub wget https://dl.carbslinux.org/keys/$PUBKEY
You can now verify the distribution tarball with signify.
signify -V -m carbs-rootfs.tar.xz -p $PUBKEY
If everything went alright, this should output:
Signature Verified