cmd/dist,release/dist: sign release tarballs with an ECDSA key (#8759)

Pass an optional PEM-encoded ECDSA key to `cmd/dist` to sign all built
tarballs. The signature is stored next to the tarball with a `.sig`
extension.

Tested this with an `openssl`-generated key pair and verified the
resulting signature.

Updates #8760

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>

cmd/dist/dist.go

@@ -6,6 +6,7 @@ package main
 
 import (
 	"context"
+	"crypto"
 	"errors"
 	"flag"
 	"log"
@@ -19,10 +20,10 @@ import (
 
 var synologyPackageCenter bool
 
-func getTargets() ([]dist.Target, error) {
+func getTargets(tgzSigner crypto.Signer) ([]dist.Target, error) {
 	var ret []dist.Target
 
-	ret = append(ret, unixpkgs.Targets()...)
+	ret = append(ret, unixpkgs.Targets(tgzSigner)...)
 	// Synology packages can be built either for sideloading, or for
 	// distribution by Synology in their package center. When
 	// distributed through the package center, apps can request