Sign releases with sigstore

[fridex]

Is your feature request related to a problem? Please describe.

As a user of Thoth, I would like to make sure releases of thamos are signed so that I can be sure about advises it provides to me.

Describe the solution you'd like

Sign Thamos releases.

Additional context

We should start signing releases of our components. We can start with user-facing parts, but also libraries running in the backend should be signed to make sure the whole application is secure.

[codificat]

/kind feature

[codificat]

Related: https://github.com/thoth-station/core/issues/345

[goern]

/priority important-longterm

[sesheta]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[mayaCostantini]

https://github.com/trailofbits/sigstore-python

[goern]

/remove-lifecycle stale /priority important-soon /remove-priority important-longterm

[sesheta]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[mayaCostantini]

/remove-lifecycle stale

[mayaCostantini]

/sig stack-guidance

[codificat]

A couple of related references:

• https://kushaldas.in/posts/using-sigstore-python-to-sign-and-verify-your-software-release.html
• https://github.com/sigstore/sigstore-python/blob/main/.github/workflows/release.yml