Source releases are compressed with xzip or gzip depending on their vintage. SHA512 checksums of these are provided, and all are signed with the author's current PGP key.
Retrieve the compressed tarball you want along with the checksums file and check it:
grep '^.\{128\} weather-2.5.0.tar.xz' checksums | sha512sum -c
You should see output along the lines of:
weather-2.5.0.tar.xz: OK
If you don't already have the author's PGP key in your keyring, obtain it from a well-known keyserver:
gpg --keyserver hkps://keys.openpgp.org --recv-keys 0x48F9961143495829
Retrieve the detached signature (.asc or .pgp file) corresponding to the downloaded tarball and then check it with GnuPG like:
gpgv weather-2.5.0.tar.xz.pgp weather-2.5.0.tar.xz
Expect output similar to:
gpgv: Signature made 2024-05-12T20:27:09 UTC gpgv: using RSA key 97AE496FC02DEC9FC353B2E748F9961143495829 gpgv: Good signature from "Jeremy Stanley <fungi@yuggoth.org>" gpgv: aka "[invalid image]" gpgv: aka "Jeremy Stanley <jeremy@openstack.org>"