Thanks a lot, that's very useful. Something I'm not sure: shall we sign only the "archive-contents" file or both "archive-contents" and "org-YYYYMMDD.tar"?
For the public key of Org ELPA, where would you expect to download it from? https://orgmode.org/elpa/key.asc or https://pgp.mit.edu or both? -- Bastien
