make signed releases

[vliw]

as i see the only possible way to get a tarball is letting github create one for a tag. can you sign releases somehow? at the moment when you get the sources you have no idea if they have been tampered with. that is the state for many github projects, i dont know if there is a good solution for that, integration of sigs or so. thanks

[ioerror]

Signed releases are uploaded to Debian.