Detached signature for release source code tarballs

[arkevmitch]

Thanks for developing this useful library. Would it be possible to include a detached signature to authenticate the release tarballs?

While simply signing git release tags or even commits would be a step in the right direction, signing the actual released artifacts would be a huge help to users concerned about code authenticity.

It's not foolproof, but if the public key is published to a keyserver like https://keyserver.ubuntu.com/ in addition to someplace independent (like a developers website or maybe even somewhere here on github), then it can be used to provide a greater degree of confidence.

It looks like it should be a pretty straightforward process and would be much appreciated.