To download SHASUMS256.txt using curl:

curl -O https://get.pnpm.io/SHASUMS256.txt

To check that a downloaded file matches the checksum, run it through sha256sum with a command such as:

grep v6.16.js SHASUMS256.txt | sha256sum -c -

The GPG detached signature of SHASUMS256.txt is in SHASUMS256.txt.sig. You can use it with gpg to verify the integrity of SHASUMS256.txt. You will first need to import the GPG keys of individuals authorized to create releases. To import the keys:

curl https://keybase.io/pnpm/pgp_keys.asc | gpg --import

Next, download the SHASUMS256.txt.sig:

curl -O https://get.pnpm.io/SHASUMS256.txt.sig

Then use the following script to verify the file's signature:

gpg --verify SHASUMS256.txt.sig SHASUMS256.txt