Let's document how to verify a Node.js downloads on the website

[aduh95]

As discussed in https://github.com/nodejs/node/issues/58904#issuecomment-3031456396, the way we document how to verify Node.js downloads is not ideal, and there seems to be consensus for switching our recommendation from the public OpenPGP.org server to our own nodejs/release-keys repository. On top of changes in the nodejs/node README, we should also host on the website what is the trusted way to verify a Node.js download.

What we need to provide on the website (presumably on the Downloads page) would be:

• a git commit hash to a revision of nodejs/release-keys that contain keys to all.
• a SHA-256 of the gpg-only-active-keys/pubring.kbx on that revision.

Opening this now in case it involves design changes, but it shouldn't land until after the nodejs/node README is edited (currently it still points to keys.openpgp.org as the recommended source).