doc: update README with SHASUMS256.txt.sig info
It is more secure to verify SHASUMS256.txt files via SHASUMS256.txt.sig than SHASUMS256.txt.asc.
This comment does the best job at explaining the issue.
Refs: #6821 (closed), #9071
Checklist
-
documentation is changed or added -
commit message follows commit guidelines
Affected core subsystem(s)
doc