Provide some explanatory prose about handling of OpenPGP signatures
for Git tags and similar release artifacts. Also provide a copy of
the corresponding public keys, for improved provenance. New keys
should be added each cycle as they're rotated into use.
Change-Id: I083bc8acf8d95e938afb5446d786eedf4fc43751