Implement release signing

Not actually being signed now.

And we need policies and process around key storage, rotation, etc.

Taking the config out of the build now; to be put back when we can address comprehensively. This isn't something we can do prior to full procedures in place, as signing has to have excellent controls and clear verification to consumers.

Configs to inspect:

release-publish-tbd-artifactory.yml

      # Adapted from: https://gist.github.com/sualeh/ae78dc16123899d7942bc38baba5203c
      - name: Install gpg secret key
        run: |
          # Install gpg secret key
          cat <(echo -e "${{ secrets.GPG_SECRET_KEY }}") | gpg --batch --import
          # Verify gpg secret key
          gpg --list-secret-keys --keyid-format LONG

and in the Release and Publish to TBD Artifactory element where we do mvn deploy:

\
            -Dgpg.passphrase=${{ secrets.GPG_SECRET_PASSPHRASE }}

pom.xml

<profile>
      <id>release-sign-artifacts</id>
      <activation>
        <property>
          <name>performRelease</name>
          <value>true</value>
        </property>
      </activation>
      <build>
        <plugins>
          <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-gpg-plugin</artifactId>
            <executions>
              <execution>
                <id>sign-artifacts</id>
                <phase>verify</phase>
                <goals>
                  <goal>sign</goal>
                </goals>
              </execution>
            </executions>
            <configuration>
              <!-- As advised by https://gist.github.com/sualeh/ae78dc16123899d7942bc38baba5203c -->
              <gpgArguments>
                <arg>--pinentry-mode</arg>
                <arg>loopback</arg>
              </gpgArguments>
            </configuration>
          </plugin>
        </plugins>
      </build>
    </profile>

When put back, will also need to go into publish-maven-central.yml.

TBD54566975 / web5-kt

Implement release signing #267