Several ASWF projects have implemented signed source releases. For instance in OpenEXR:
https://github.com/AcademySoftwareFoundation/openexr/blob/main/.github/workflows/release-sign.yml
This has a few advantages:
- immutable source release, even if the release tag gets modified after the fact
- visible SHA-256 checksum for the tarball
- ability to programmatically verify authenticity of the tarball
Unfortunately there doesn't seem to be a way to prevent the automatically generated links for unsigned .tar.gz and .zip archives from showing up.

Several ASWF projects have implemented signed source releases. For instance in OpenEXR:
https://github.com/AcademySoftwareFoundation/openexr/blob/main/.github/workflows/release-sign.yml
This has a few advantages:
Unfortunately there doesn't seem to be a way to prevent the automatically generated links for unsigned .tar.gz and .zip archives from showing up.