Comment 3 for bug 1118469

I forgot to mention that the validation job running at step #1 should also verify the OpenPGP signature of the git tag it checks out, and optionally check the key which signed that tag against a local keyring of authorized signing keys for that particular project to ensure it is not getting a git repository which has been tampered with. These could also be the same keyrings used as whitelists to trigger upload jobs if/when we decide to take it to that level.