posts: Add guide to verify a commit from a tarball

When generating archives, git-archive(1) puts the commit ID in the
global extended pax header. Therefore, an interesting side effect of
signing tarballs generated with git-archive(1) is that we also
implicitly sign a commit. Whilst we don't expect anyone to go through
the hurdles needed to verify such a commit signature, make sure to
document this case anyway.

0 files changed, 0 insertions, 0 deletions