Better define task to sign images

[lkocman]

We're expected to sign .sha256 files, these files need to match filename.

sha256 files are expected to be sign with the opensuse key and that is outdated internally so you have to sign the files on obs-back

This particular file is signed by build2048@suse.de

gpg --verify openSUSE-Leap-15.2-NET-x86_64.iso.sha256 gpg: Signature made Tue 30 Jun 2020 05:52:30 PM CEST gpg: using RSA key 70AF9E8139DB7C82 gpg: Good signature from "SuSE Package Signing Key build@suse.de" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: FEAB 5025 39D8 46DB 2C09 61CA 70AF 9E81 39DB 7C82

[lkocman]

Task to do this for 15.2 is here https://progress.opensuse.org/issues/61560

[lkocman]

Seems like our signatures are gone now https://www.reddit.com/r/openSUSE/comments/ilddbe/why_are_opensuse_mirrors_all_using_insecure_http/g3u433c/?context=3

[bmwiedemann]

The key ID above is different from the one listed on https://software.opensuse.org/distributions/leap ( 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 ) - that discrepancy would cause many user questions.