Implement linux package signing

[codefromthecrypt]

#395 removes linux package signing because it was broken and not noticed because it wasn't tested. Let's try again!

Notably, to know this works. the rpm and deb test scripts should verify signatures always, defaulting to the test ones.

Ex.
https://github.com/goreleaser/nfpm/blob/39f5bf392d22c9284f45cb9f5c34c06c4901fef1/testdata/acceptance/rpm.dockerfile#L68-L76
https://github.com/goreleaser/nfpm/blob/39f5bf392d22c9284f45cb9f5c34c06c4901fef1/testdata/acceptance/deb.dockerfile#L67-L78

[codefromthecrypt]

note: it seems github CLI signs external to nfpm. I don't necessarily care whether signing is done inside nfpm or external to it. However, we should probably do that internal to our makefile as opposed to shell scripts pasted into yaml https://github.com/cli/cli/blob/trunk/.github/workflows/releases.yml