Comment 5 for bug 1330770

A few more questions to consider:

1. do we also want to generate (and expose) signatures for source uploads, or just the binary files?
2. since we're exposing the computed signature for verification purposes, we need to document how to recompute the signature on the device itself, correct?