Sign PHARs using private key and publish integrity hash separately
We should add a private key to the GitLab CI variables that signs each PHAR, and publish the corresponding public key, so others can verify the build comes from a trusted source. Next to that, we should also publish an integrity hash when releasing a new version, so the integrity can be validated if desired.