When we create a new Matomo (Piwik) release, right after the Matomo core packages .zip and .tar.gz have been created, the Matomo release manager signs the packages using his PGP key. This creates a cryptographic signature which gives you the possibility to check that the release package you have downloaded is the same as the one that was provided by Matomo team. Learn how to verify the signature in this blog post with instructions for Windows, Mac OS X and Linux.