build: release.mk: simplify/generalize GPG signing rule

...especially in case we want to easily switch to signing also
particular archives, which may be a reasonable expectation from some
downstream/distro maintainers (as demonstrated with the libqb's
example[1] where this changeset was picked from a followup PR[2]).
Since this commit, such a change is a matter of only swapping
a prerequisities specification for "sign" target per the commented
out suggestion.

For that to work reliably even after such a change, for the complete
dependency backtrack, though, a pre-existing issue with parallelized
work on the prerequisites needs to be fixed first. The (currently
hypothetical) problem is "tarballs" (phony) target missing in the
linearized supply chain for the signed tarballs, as opposed to supply
chain for the checksums file that can be worked on in an (unordered!)
interleave with the work on these signed tarballs. Hence fix this
(currently hypothetical) race condition by stretching "tarballs" target
as progress barrier (using it as a prerequisite) uniformly for all
the deliverables that are going to be signed (as opposed to the
currently only "sha256" target). And when at it, make "deliverables"
variable list them conveniently (along with reformatting definitions
of other variables for uniformity).

[1] https://github.com/ClusterLabs/libqb/issues/145#issuecomment-306640694
[2] https://github.com/ClusterLabs/libqb/pull/260

Signed-off-by: Jan Pokorný <jpokorny@redhat.com>