RFE: only sign selected "Release" files

[ktdreyer]

reprepro creates several files that are all named "Release":

myrepo/dists/precise/main/binary-armhf/Release
myrepo/dists/precise/main/binary-amd64/Release
myrepo/dists/precise/main/binary-i386/Release
myrepo/dists/precise/main/source/Release
myrepo/dists/precise/Release
myrepo/dists/trusty/main/binary-armhf/Release
myrepo/dists/trusty/main/binary-amd64/Release
myrepo/dists/trusty/main/binary-i386/Release
myrepo/dists/trusty/main/source/Release
myrepo/dists/trusty/Release

We only need to sign the two main ones, "trusty/Release" and "precise/Release". There's no point in signing the others, because apt doesn't even try to download the signatures for them. Even if apt did, the <pool>/binary-*/Release files contain no cryptographic hashes of anything.

FileCollector will need to be smarter about collecting the correct "Release" files.

We could analyze the "Release" file in relation to other specially-named directories within a tree, but that gets complex. I think it would be simplest to just open the "Release" file and grep for the string "SHA256:". If that string is present in the file, then that means we need to sign the file. If the string is not present, skip the file and move on to the next one that we find.

[ktdreyer]

When I ran merfi rpm-sign today, it still signed a bunch of unnecessary Release files scattered in the tree.

We'll need to make the repotree fixture more robust (more like a real Debian repository) in order to fully exercise this behavior.

[ktdreyer]

This should be fixed now, as of #42