All releases are signed by one of the Jam contributors. As of this writing (742,834), releases are signed with dergigi's PGP key which has the following fingerprint:
8198 A185 30A5 22A0 9561 2439 89C4 A25E 69A5 DE7F
To verify a specific release, import the key
curl https://dergigi.com/PGP.txt | gpg --import
and verify the git tag of your local copy:
git verify-tag v0.0.10
This should produce an output that contains "good signature" as well as the key fingerprint mentioned above:
gpg: Signature made Fr 5 Aug 14:17:58 2022 CEST gpg: using RSA key 8198A18530A522A09561243989C4A25E69A5DE7F gpg: Good signature from "Gigi <firstname.lastname@example.org>" [unknown] ... Primary key fingerprint: 8198 A185 30A5 22A0 9561 2439 89C4 A25E 69A5 DE7F
You can also see if a release was signed properly by clicking on the verification tag next to the version number on the releases page on GitHub.
It should say that "This tag was signed with the committer’s verified
signature" and show you the last 16 characters of the GPG key ID listed above
89C4 A25E 69A5 DE7F).