GPG sign binaries; include pubkey in srcs

[jhheider]

Proof of function: https://github.com/teaxyz/cli/actions/runs/5502595335

closes #633

[what-the-diff]

PR Summary

• Enhancement in Security Measures
  The update focuses on signing the archive with GPG before it's uploaded. This step empowers the integrity and security of the archive, ensuring the artifact is unchanged and authentic since the moment of signing.

• Inclusion of GPG Pubkey in the Bundle Source
  The update also incorporates the GPG public key into the bundle source prior to the creation of the tar.xz file. This facilitates verification of the file after download, serving as a guarantee that it hasn't been tampered with after creation.

[mxcl]

I'm an idiot, we need signatures for each of the tarballs, not the binary.

Most projects aren’t single binary projects and we want this to be generalized.

[jhheider]

should be an easy enough change

[mxcl]

there's gotta be a simpler gpg clone we can start using.

needing a daemon is dumb

[jhheider]

Agreed. required as of gpg2 sadly. I mean, the safety of requiring actual passwords, and having a daemon deal with credential management was likely a well-considered decision, but it's overkill for this use case.

[mxcl]

have we published our GPG public key in a standard location?

I would have thought https://tea.xyz/KEY (but not KEY) is a standard of some sort.

[jhheider]

we haven't and I just regenerated it because we had been signing with my jacob@tea.xyz key.

the standard is usually to publish to public key servers. In the web3 space, I usually see it prominently mentioned alongside download locations so concerned individuals can check it.