Attach OpenPGP signature for source tarballs to releases

[dvzrv]

Requested Feature: Since PyPI does not support (and outright removed existing) OpenPGP signatures on the platform, downstream reproducibility is now broken (see https://archlinux.org/todo/fix-reproducibility-of-packages-broken-by-pypi-removing-signature-files/)
Hence, it would be great if you could add an OpenPGP signature (using the same key as before) for the auto-generated source tarball.

Related Area: release

Do you want to contribute this yourself as a pull request? (don’t worry about it if you don’t want to/can’t — someone else can take care of it)

• Yes, I have already written code for it (link if available and feasible)
• Yes, I don’t have code ready yet (that’s okay!)
• No (that’s okay too!)

Does this feature affect backwards compatibility? If yes, in what way?

Currently, reproducibility for all releases is broken if downstreams relied upon a signature file from PyPI.

Rationale and full description: (why should it be added to Nikola?)

This ensures the continued trust path of the releases and fixes reproducibility for downstreams.

[Kwpolska]

Ugh, the PyPA folks really love making people’s lives worse.

I uploaded 8.2.4’s assets and signatures to GitHub: https://github.com/getnikola/nikola/releases/tag/v8.2.4

I’ll update our release procedure to do the same for future releases.

[dvzrv]

I uploaded 8.2.4’s assets and signatures to GitHub: https://github.com/getnikola/nikola/releases/tag/v8.2.4

I’ll update our release procedure to do the same for future releases.

Thank you! Much appreciated ❤️