Sign releases again

The new automation workflow doesn't sign the Git tag or the tarball as
we used to.  Since the tag is still created locally, sign it directly.

For signing the tarball; build it locally and compare the extracted
tarball with the one produced by GitHub.

Closes #11996

build_tools/release-notes.sh

@@ -79,9 +79,12 @@ if test -z "$CI" || git -C "$workspace_root" tag | grep -q .; then {
     echo
     echo "---"
     echo
-    echo "*Download links: To download the source code for fish, we suggest the file named \"fish-$version.tar.xz\". The file downloaded from \"Source code (tar.gz)\" will not build correctly.*"
+    echo 'Download links:'
+    echo 'To download the source code for fish, we suggest the file named ``fish-'"$version"'.tar.xz``.'
+    echo 'The file downloaded from ``Source code (tar.gz)`` will not build correctly.'
+    echo 'A GPG signature using the key published at '"${FISH_GPG_PUBLIC_KEY_URL:-???}"' is available as ``fish-'"$version"'.tar.xz.asc``.'
     echo
-    echo "*The files called fish-$version-linux-\*.tar.xz are experimental packages containing a single standalone ``fish`` binary for any Linux with the given CPU architecture.*"
+    echo 'The files called ``fish-'"$version"'-linux-\*.tar.xz`` are experimental packages containing a single standalone ``fish`` binary for any Linux with the given CPU architecture.'
 } >"$relnotes_tmp/fake-workspace"/CHANGELOG.rst
 
 sphinx-build >&2 -j auto \