Verify release signatures

[woky]

This commit builds on the previous commit that introduces support for OpenPGP keyrings to verify signatures of archive release files. Previously, we used the Release file of each configured suite. With this commit, we fetch the InRelease file instead. This file is in clearsign format[1] and contains the Release file and its signature[2].

[1] https://www.gnupg.org/gph/en/manual/x135.html [2] https://www.chiark.greenend.org.uk/~cjwatson/blog/no-more-hash-sum-mismatch-errors.html

[woky]

This PR depends on #100

The CI will pass once chisel-releases contains valid Ubuntu keyrings. The PRs in chisel-releases are: https://github.com/canonical/chisel-releases/pulls?q=is%3Apr+is%3Aopen+%22Add+Ubuntu+archive+signing+keys%22+in%3Atitle

[woky]

Unfortunately, it appears that clearsign.Block is stateful (it uses io.Reader for Body), so running block.VerifySignature() for the second time will read empty body, and hence the signature will be invalid. So if the first keyring fails to verify the signature, the remaining keyrings will fail too. I'm going to fix that and add a test for that. Converted to draft for now.

[woky]

I've fixed the issue. Variables/functions/comments/messages are updated to refer to "public keys" instead of keyrings. I retained the openpgp.Keyring type. See my comment about it here please: https://github.com/canonical/chisel/pull/102#discussion_r1370818724