Add Debian keyring package

[paxswill]

Summary

This adds a script that creates a yarn-archive-keyring Debian package, and adds a Recommends relationship from the yarn package to yarn-archive-keyring. This package installs a drop-in keyring file for APT which can be easily updated as keys are rotated. I've been working with Debian packaging a fair bit recently (and did this exact task for my personal repo), so it was pretty quick.

I have not updated the changelog, as this patch doesn't actually change yarn itself.

Test plan

Right now the script takes a single argument, a key ID to export from gpg. I'm open to suggestions as to how you'd like to do it so it fits in with the rest of your infrastructure. The script also checks for a VERSION environment variable to use for the package version, but it falls back to the current date if that's not set (one possible change: base the version number on the expiration date of the key, but that feels a little weird having a date-based version far in the future).

This is a draft PR, I still need to add a postinst script that removes any old keys that were added with apt-key. I wanted to get some feedback on the version and key ID selection earlier though. Example usage:

VERSION=2021.02.04 ./scripts/build-deb-keyring.sh 23E7166788B63E1E

@Daniel15, you were offering to review in #7866 😉

[Daniel15]

Thank you! I haven't forgotten about this; I'll likely have time to review it over the weekend :)

[Daniel15]

Sorry I took so long to get around to this. This looks good to me. I wonder if it should go in the releases repo (https://github.com/yarnpkg/releases) given it's related to the release infra rather than Yarn itself.

As an alternative to this, I could extend the key to be valid for 5 years, or maybe just remove the expiration. What do you think? I'd need to assess the security risks of that.

[softorangetech1122]

Can you please read the important note and migrate this PR to yarnpkg/berry? This repository is frozen