Check package integrity in package promotion step
In gitlab-org/release/tasks#235 (comment 76027230), we saw that an artifacts file could fail to extract, leading to a corrupt uploaded package file.
I think the build should fail in this case (gitlab-runner#3326), but until the runner is fixed, could we:
- Add the MD5/SHA256 signature of the package file
- When the package promotion step runs, ensure that the signature matches the file downloaded by the artifacts step
I noticed we also sign the packages, so we could just verify the signature, but I'm not sure if we sign everything at the moment.
/cc: @marin, @mayra-cabrera, @jameslopez