Sign PyPI releases

[maltfield]

Describe the bug

When a user downloads this python module using pip, there is no cryptographic authenticity or integrity validation to protect the user from a MITM attack.

Therefore, this project is making any other projects that obtain the install module via pip in their build process vulnerable to a watering hole attack.

Expected behavior

A developer should have a mechanism to cryptographically verify the integrity and authenticity of this package when obtaining it through pip.

To Reproduce

pip install install

Additional context

As far as I can tell, this is the only package required for @theupdateframework that cannot be cryptographically validated when installing tuf and its dependencies on Debian, which is a pretty important security risk for users trying to bootstrap a secure updater that itself can't be secured.

Possible solutions include:

1. Using the --sign argument of twine when uploading packages to PyPI

2. Publishing a cryptographically signed document (ideally using gpg) listing the hashes for all packages uploaded to PyPI, which users can then pass into pip using the --hash argument