well, it needs to start with verifying the tool before verifying other things. 🤓

and in this case, the software didn't sign too? and how can I tell is it sign or not? ( when do I need to do the sha256sum --check step )