Figure out a way to sign releases.

[maxking]

https://github.com/pypa/twine/issues/157

It is possible to verify packages from PyPI which are signed optionally. I don't know if it makes sense at all to verify any package if you can't verify all of them. Also if it makes sense to verify all the packages (dependencies are a lot! and all may not have signatures).

Signing images are another story but security needs to come from bottom up.