Verify the authenticity via PGP ([.tar.bz2 ]/ [.zip]). The Nextcloud GPG key [is here]. You can also grab the keys by issueing this command: gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 28806A878AE423A28372792ED75899B9A724937A
Ah. Problem:
gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 28806A878AE423A28372792ED75899B9A724937A
gpg: keyserver receive failed: No name
After a bit of googling, I found that ha.pool.sks-keyservers.net is deprecated, and I should use different key servers. I did
$ gpg --keyserver keys.openpgp.org --recv-keys 28806A878AE423A28372792ED75899B9A724937A
gpg: key D75899B9A724937A: no user ID
gpg: Total number processed: 1
And maybe you could ask someone like Bruce Schneier, or some additional publicly-searchable security mavens to sign the key, too? It would feel much less like “whistling past the graveyard” to be verifying the authenticity of a new piece of software with a key I’ve never used before.
Well, you can get the key from a key server. And the website and download page are independent and ideally not compromised at the same time.
For the update it is probably more interesting, if someone manages to compromise the download server and for a new version many setups get the compromised version, that would be really bad.