The directory for each program contains a subdirectory for each version.

Each of these subdirectories contains the actual release files, as
well as SHA256, SHA512, SHA256.sig, and SHA512.sig. The files SHA256
and SHA512 can be used to verify the hash using sha256(1) or sha512(1).
The *.sig files are the same but additionally contain a signature
created with OpenBSD's signify(1). These can be verified using
signify -C -p /path/to/lumidify-signify.pub -x <file>.sig
The public key lumidify-signify.pub can be found elsewhere on this
site, but true trust of course requires that you get it from me
personally through different means so you know it is actually the
correct key and my server wasn't cracked (the same applies to the
SHA files).

The *.tar.gz and *.sha512 files that are contained directly in the
directories for each program are there in order to avoid breaking
any links that may exist to them because I originally didn't have
the subdirectories for each version.