Sign releases with cryptographic signatures

[vicentebolea]

Releases should be cryptographically signed to verify authenticity and prevent tampering. Currently scorecard reports no signed releases detected.

This helps users verify they're downloading legitimate ADIOS2 releases and protects against supply chain attacks.

Options include:

• GPG signatures for release tarballs
• Sigstore/cosign for container images
• GitHub's artifact attestations for release assets

Reference: https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#signed-releases