Sometimes when I download a compressed tgz file from a repo to build from source, I see this sentence
Foo is gpg-signed, you should check the signature by downloading the accompanying sig file and do gpg --verify foo.tgz.sig.
The question is why bother? What if I downloaded the file from their official website or github page, should I still verify the signature? What can horribly go wrong if I don't?