The the audacity software as example, you should see the following on the official website
After downloading it, to avoid it’s malicious, you could use the following command:
$ shasum -a 256 audacity-macos-3.0.0.dmg
f769a9e8c0f2352171933339681616ddab43ca6d7b688918e5af8bd1382a0fad audacity-macos-3.0.0.dmg
As you can see, the shasum matches, which means the software is the official one.