build: release.mk: add soft guard for no GPG key up the supply chain

It also means the missing key specification is now a hard error when
ASCII armored files are to be created (directly or by other rules).

To allow "sign" target to (possibly eventually) become the implicit goal
even if "gpgsignkey" variable is explicitly unspecified, make it depend
on "tarballs" in that case, getting rid of any signing.

Signed-off-by: Jan Pokorný <jpokorny@redhat.com>