Sign published artifacts checksums

We might want to provide a way to verify the jenkins autobuild isos published on nightly.t.b.o. That way we can have people safely downloading an trying them.

Point is that we can’t use our main pgp signing key for this task, as it will be used on a remote server.

We might end on using a signing subkey or more likely to manage a new secret key, signed by our main one.

Parent Task: #5653 (closed)

Subtasks

#6266 (closed)
#6267 (closed)
#6268 (closed)

Original created by @bertagaz on 6193 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information