The Tor Project signs every build it publishes. Verifying that signature against the project key, on the first install, is the difference between a clean browser and one that quietly leaks your traffic around Tor.
The official download page documents the check for every operating system, step by step. It takes a couple of minutes and you only do it once. Skipping it is the easiest way to end up with a browser that undermines everything else you do carefully afterward.
Once the signature checks out, you know the browser is genuine, and the rest of this flow can trust it.