Locally reproducable release source archives

Problem to solve

As maintainer of a project i want to upload signatures to the source archives created by gitlab for a release. For this the commands/algorithms used to create the archives by gitlab must be locally reproducable.

Further details

I don't think it's smart to blindly download the generated archives and upload signatures for them since that wouldn't protect against servers that have been compromised.

Proposal

Provide documentation for tar/zip command flags that will allow maintainers to reproduce the the source archives locally.