Create release signing key policy

[quarckster]

Gpg signature is a crucial component of our release artifacts but we don't have any policy for release signing key where would described who can access it, what the format is, rotation period, what should be in case of leaking.

Acceptance criteria

• policy is published on https://github.com/openssl/general-policies
• policy describes:
  • who can own release signing key
  • where it's stored
  • release signing key format
  • rotation period
  • actions in case of leaking