The source code is written in go. Clone branch "prod" from here by running:
git clone -b prod https://jonirons.net/code/go/jonirons.net.git
I sign all commits to the prod branch using my public GPG key. Audit any code from commits that aren't signed. I wouldn't trust them at all if I were you.
git verify-commit HEAD
I try to keep these binaries roughly up-to-date with the "prod" branch. As with commits to that branch, the below zip as well as the individual binaries it contains all have corresponding signatures from my key (see above) that you should verify before running. After importing my key and dowloading the zip:
gpg --verify charlemagne-bin.zip.asc charlemagne-bin.zip
or verify an individual binary's signature from that zip file.
The signature files in the zip are mainly there for convenience.
You ought to verify against the ones linked here.