add checksums to packaging
For Linux systems, output a checksum of the generated artifacts. The build log is more persistent than the artifacts themselves, so having a checksum will be useful for verifying the authenticity of packages for the indefinite future.
Here's the use case to solve: we'd like to use CINC packages, but they're not currently signed. With no disrespect to Oregon State, we can't fully trust packages we get from any third-party website. While we can see the actual packages that were built on GitLab for about two weeks, that's the limit before they're removed. By outputting some checksums into the build log, it's a much longer-lasting record that can be used to verify authenticity.
Furthermore, I don't know that there's a lot of value if CINC suddenly began signing the RPMs (and other packages) that are generated, because such signatures are only worth the amount of trust in whoever controls the key. It might be a good solution if GitLab offered a capability to have the CI/CD system sign packages only as an indicator that something was built on GitLab.