docs: Add a note about git-evtag to SECURITY.md

Inspired by https://github.com/ostreedev/ostree/issues/2349, here’s a stub of documentation in SECURITY.md about how we sign releases, what can be trusted, what can’t necessarily be trusted, and the fact that we don’t actually have a formal chain of trust at the moment.

It would be nice if we did have a formal chain of trust, but nobody’s asked for it yet, which kind of implies that if we were to put the time into creating and maintaining one, nobody would actually notice.

Signed-off-by: Philip Withnall pwithnall@endlessos.org