Add `SHA256SUMS` file to github releases

[Kunsi]

It would be nice if the releases published to github would include a SHA256SUMS file containing all the sha256sums for the uploaded prebuilt releases. This would allow users to verify they actually downloaded the correct file.

[jcgruenhage]

Except for the additional work, I don't see any harm in this, but what is the specific failure mode this should protect from? Transfer errors are something that we are protected from with TLS, as the whole data stream is encrypted using authenticated encryption, which means the bytes will arrive as the server sees them, which makes these sums a bit meaningless IMO. Signatures would be something else, which would be helpful indeed, but the checksums alone don't provide much benefit IMO.

[Kunsi]

Well, the creator of the binary release would calculate the sha256sums on the same machine the release was built. Having a (ideally signed) SHA256SUMS file would allow users to verify they actually got the file that was originally built.

If we have reproducible builds, this could also be used to verify that nothing malicious was injected into the release.

[jcgruenhage]

Uploading a sha256sum file doesn't help with verifying the binary, as anyone who's able to swap out the binary could also swap out the sums. Signatures would be nice, but then I don't really see the benefit of signing a SHA256SUMS file over signing the individual files themselves.

[turt2live]

Pretty much what @jcgruenhage said: sum files don't really add much value to the releases. Ideally, honestly, people who can't/won't trust the github releases should be building the project themselves anyways, where sum files makes more sense for internal distribution.

At this stage though, it's best to leave out the files to prevent a false sense of security from being established.