sign generated packages

[majewsky]

What this means in detail depends on the generator.

• For debian, nothing needs to be done since Debian packages are usually not signed. Debian, Ubuntu etc. just sign the repository metadata (which probably contains cryptographic checksums of the package files).
• For pacman, when a package file is written, and signing is configured in /etc/makepkg.conf, run gpg --detach-sign --use-agent [-u $gpg_key] --no-armor $package_file to produce $package_file.sig. (This obviously doesn't work when the output file is stdout.)
• Since rpm is a mess, I'll leave it out of the scope of this issue and do a follow-up issue later.

[majewsky]

Putting this on the back-burner. For Arch, there is now https://github.com/majewsky/art which takes care (among other things) of signing the packages that holo-build generates.

[ghost]

I could really need this for alpine. If we setup alpines abuild as dependency of holo-build, we can reuse the existing signing infrastructure.