ci/contributing: verify donation address/qr's are signed

[plowsof]

with this PR i have moved the general fund donation addresses/qr checksums into a _data file that can be signed. this is confirmed in the workflow

thoughts? if this is useful we can ask bF to verify/sign the file.

• [x] Btc QR code with a consistent address
• [x] Confirm _data is gpg signed
• [x] Check hashes of QR's
• [x] Confirm scanned QR content == expected
• [x] Monero QR now has "monero:" uri
• [ ] After review ask bF to sign the file

to sign: (whilst in _data) gpg --output contributing.yml.asc --armor --detach-sig contributing.yml overwrite existing file :heavy_check_mark:

[netlify[bot]]

✅ Deploy Preview for barolo-time-757cf9 ready!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	3b613791edb5c976c3ad9e17a76088745e581e77
🔍 Latest deploy log	https://app.netlify.com/sites/barolo-time-757cf9/deploys/67135cc4f024250008b0d100
😎 Deploy Preview	https://deploy-preview-2394--barolo-time-757cf9.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[nahuhh]

LGTM. I have no preference over who signs the file, as long as its signed and correct.

if using your key, perhaps we should use your pgp key from the gitian.sigs repo(?).

[plowsof]

My plan is to either:

1. Drop / amend the commit adding the signed file with binaryFates signed version.
2. Add the hardcoded checksum in the workflow file and merge asap while we await the signed file (if that causes delays, but i've not asked yet)

i have sanity checked that the workflow fails correctly:

• file has to be signed
• external things such as diffs in checksum of qr images
• the content of the QRs must match exactly what resides in contributing.yml (both xmr/btc)

after first approval(s) i can proceed with 2 then 1 or 1*

[plowsof]

Thank you for the reviews. i will ask bF to sign the file for us