Repository signing

[discordier]

We might want to utilize automatic signing for the repository (and maybe for our tools).
Some read up is available at phar-io/phive#221

I am currently thinking about the following aspects:

• We want automatic signing (we are not at the computer 24/7)
• We do not want to trust Github on signing for the matters of account hijacking
• We should leave the "dirty work" to github actions
• We should sign on a separate (trusted, self owned) server by providing:
  • The key passphrase automatically for repository builds (as they happen on daily basis).
  • The key passphrase manually for tool builds for each build run after tests succeeded.