Wish: Generate signature files for assets (using GPG)

[rzr]

I think it would be valuable to sign extra packages and generate .asc files to allow offline checking (along a trusted key from repo?).

Is this desirable to automate this step? I think it will improve the chain of trust.

May an other action can do this..

According to current gh doc, gpg is only used for signing tags or commits

https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key

Relate-to: https://github.com/orgs/eclipse-csi/discussions/14#

This looks doable (but the trust could be a subject to debate)

https://github.com/yarnpkg/yarn/blob/master/.github/workflows/signing.yml