Make build.sh download the CI generated tarball digest
The idea here is to use that checksum and compare it with what we just generated on our side. If it matches, sign and upload signature.
The CI release pipeline still will verify the signatures after that.
The point of all this is to "know" what we are signing and not just randomly upload a signature of some file.