Start releasing sigsum-go?
packaging of sigsum-go is happening in debian, see: https://bugs.debian.org/1061153
feedback from @jas: it would be helpful if we gpg-sign tags or tarballs (it would not be much help to ssh-sign because debian doesn't have any infrastructure for verifying ssh keys).
If we start signing we should probably also consider releasing sigsum-go in a similar way as we release log-go, which this issue is a placeholder for.
Edited by Linus Nordberg