feature: Please ship CHECKSUMS, ideally GPG-signed

In the release process, please include CHECKSUMS of the distributed zipfiles.

Hash should be SHA256 or SHA512.

Optionally, but looks like it might be hard in your release process, the CHECKSUMS file should be GPG signed.

Example of JQ adding checksums - https://github.com/jqlang/jq/issues/726