Get the sources of the program
Since the program is open-source, you can get the sources with these ways :
There is a lot of mirror of the code, hence Gitlab is most actively updated one :
You can get tarballs with Git interfaces or in this directory.
.gpgfiles are bigger, since they contain both the signature and the data. You may verify them with
gpg --output tarball --decrypt tarball.gpg.
In the past, non ascii-armored signature were published. They have the
.sigextension and are binary file. You can use them to verify as well, even if they are portability issue. See this commit for more background.