Our installers are signed with Authenticode while portable archives  are  signed
with RSA. These signatures ensure authenticity of automatic  updates  since  the
update service (Sup) is running under a privileged user.

Additionally, you can verify them by hand.

Verify Authenticode by opening Properties of the installer (EXE file) in Windows
Explorer, switching to  the  Digital  Signatures  tab  and  double-clicking  any
signature in the list (sha1 or sha256). A  window  should  appear  saying  "This
digital signature is OK."

Verify RSA by splitting the archive file in two parts:  the  signature  part  is
last 512 bytes of it while the rest is the archive itself  (signed  data),  then
using openssl's pkeyutl command or another similar tool on the  SHA-256  digest.
Example:

    openssl dgst -binary -sha256 <archive
      | openssl pkeyutl -verify -inkey Soletude-RSA.pub -pubin -sigfile signature

Finally, every release is accompanied by a .sig file for validation with GnuPG.