Add `mode: tag` to OpenPGP verify options

[stefanprodan]

Flux should be able to verify signed tags, currently if I push a signed tag, Flux looks at HEAD, making it impossible to verify releases from GitHub as GH merge-commits are not signed by authors, only tags are.

Example:

apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
  name: podinfo
  namespace: backstage
spec:
  interval: 10m
  url: https://github.com/stefanprodan/podinfo
  ref:
    tag: "6.4.0"
  verify:
    mode: head
    secretRef:
      name: pgp-stefan

This errors out with:

signature verification of commit 'fcf573111bd82600052f99195a67f33d8242bf17' failed: unable to verify commit with any of the given key rings

The fcf573111bd82600052f99195a67f33d8242bf17 commit is of HEAD, Flux should verify dd3869b1a177432b60ea1e3ba99c10fc9db850fa which is the signed tag.

[hiddeco]

This would require changes to fluxcd/pkg/git to allow the annotated tag object in Git to be verified. As the place where the signature is found is different from commits (the raw Git commit object has a gpgsig field, for the tag it's expected as the first signature found at the bottom of the annotation message).

In addition, the reconciler would require changes to work with tag objects as well, as it currently assumes to work with a git.Commit object throughout the code.