The release files are signed using a detached signature.  You can obtain the
signature from the GitHub release page

    https://github.com/pgf-tikz/pgf/releases/download/3.1.11/pgf_3.1.11.ctan.flatdir.zip.sig