Please sign release tarballs and/or release tags

[ottok]

Hi!

While working on the Debian packaging for this Go program, I noticed that there are no *.asc signatures published at https://github.com/muesli/gitcha/releases nor does the git tags in this project have signatures.

Also I noticed that the latest v0.3.0 tag was not signed, while the ones before it were.

For better supply chain security, please consider signing both tags and release artifacts. Thanks!