Sign releases using a PGP key

[mitchellrj]

It would be nice to be able to verify release file signatures with PGP, either through signatures of the file directly or signatures of the checksum file. Particularly in light of the recent issues with codecov.

A common way to achieve this is to include checksum files in your release artifacts, along with a signature of that checksum file. Alternatively each file in the release can be signed individually.

Thank you for your consideration.

[sriv]

Thanks for raising this @mitchellrj , this makes even more sense since gauge no longer signs the binaries. Would you be interested in sending a pull request?