Publish reproducible-build verification recipe and distribution

[kwsantiago]

Problem

Once builds are reproducible (#227), users still need a documented recipe to verify a released APK themselves, and alternative distribution channels (F-Droid, IzzyOnDroid) require that recipe to be machine-runnable.

Depends on #227 being complete.

Proposal

1. `REPRODUCIBLE_BUILDS.md` at repo root: exact toolchain versions, clone + checkout commands for this repo and `keep` at matching pins (per Pin keep repo commit SHA in a single source of truth #223), build command, `apksigner` verification, `diffoscope` comparison against the released APK.
2. Ship a Dockerfile that encapsulates the recipe. Align with `keep/Dockerfile.reproducible` so both the crypto core and the Android app can be verified with one container.
3. Apply for F-Droid inclusion with RB verification, and for IzzyOnDroid inclusion.

Acceptance

• A third party can follow `REPRODUCIBLE_BUILDS.md` end-to-end and verify a released APK without contacting maintainers
• At least one reproducibility-verifying distribution channel lists the app

References

• `keep/Dockerfile.reproducible`: existing container in the keep workspace; this issue aligns with it
• F-Droid reproducible builds: inclusion requirements and workflow
• `briar/briar-reproducer`: template for a working public RB recipe and container

Follow-up from #221. Depends on #227.