[FEATURE REQUEST] Add SigStore signing to our releases

[Minothor]

Is your feature request related to a problem? Please describe. Currently, aside from generating Sha-512 hashes, we don't have any implementation of binary signing, leaving people more vulnerable to supply-side attacks.

While we're a small group with a limited reach at the moment, it would pay off well to tackle it ahead of time.

Describe the solution you'd like A consortium has come together to try and make open source signing easy and relatively decoupled from traditional Cert authorities in terms of verification. While the implementation us fairly young, it looks pretty straightforward and related to the CI stuff I've been doing so far: https://sigstore.dev/

Describe alternatives you've considered A previous implementation I had bookmarked SignPath Foundation, held a similar premise, but required projects to submit and application for approval, hewing closer to the traditional CA structure. https://signpath.org/

Additional context I was made aware of this signing project by a former colleague of mine with a solid security mindset and a passion for cryptography and security that outstrips my own in leaps and bounds.

They've implemented it experimentally on their own repo and seem very happy with the results: https://github.com/MatthiasValvekens/pyHanko/blob/master/.github/workflows/release.yml