Support for signed tags

[peritus]

Hey @MarkusH, thanks for this pull request and greetings to where ever you are on your round-the-world trip when reading this :)

Some questions we should answer before merging this:

• Could there be a good default for this ?
• Could we auto-detect that the vcs is set up to sign tags ?
• Would it make sense to also sign commits ?
• Would it make sense to make signing tags vs signing commits configurable separately ?

Note to self: This also needs tests, and mercurial support.

[MarkusH]

Hey @peritus thanks for getting back to me. Let me answer your questions as good as I remember:

1. False, as you need a working GPG setup with your own PK
2. Hard to tell and given that's it most likely only be used by a few people I think it's not necessary worth the effort in the beginning. Maybe in the future.
3. I've never signed commits. And quite frankly, checking out commits might be common, but what are the odds that you have two commits with the same hash on the same repository. I personally only use commit hash if I'm the author of the package or know and trust the authors.
4. Not necessary as per 3.

I don't use HG so I'd ask you for that integration.

[kynan]

@MarkusH This has gone stale, any chance of rebasing please?

@peritus This closely relates to #58, which of these two feels more "ready" to you? Would be great to have both!

[MarkusH]

Closing in favor of #58 seems to make sense when that adds signing support.