Specify public key for verifying signatures for downloaded tarball releases

[ullbeking]

I've not submitted a PR because I don't know how the signer would like this to be specified.

I downloaded https://github.com/notqmail/notqmail/releases/download/notqmail-1.08/notqmail-1.08.tar.gz and https://github.com/notqmail/notqmail/releases/download/notqmail-1.08/notqmail-1.08.tar.gz.sig recently. I wanted to verify the gzipped tarball according to the signature but there was no link to the public key so that I can use gpg --verify to use public-key cryptography to verify the download.

I ended up asking around in IRC, then doing a Google search for a username that I don't know anything about. I'm new to the qmail world. I ended up finding the (apparently) real name of the person who signed the tarball. I then searched for their name on Google to find their public key fingerprint, and finally used gpg --search-keys to download the public key from a keyserver while hoping that the public keyserver system is presently working.

I know how to use GPG. The problem was that I didn't know which public key to install to verify the signature. It would be very useful to include this in the installation instructions.

Like I mentioned, I would have written the PR myself, but it's not my key and after a recent conversation in #qmail on Freenode, it seems to me that it would be better to leave this to the signer. I would be happy to help write this piece of documentation, however, so if I can help, let me know.