GPG signature verification for kernel/initramfs

[wgwoods]

commit 38d66bb merged the checksig branch, which added signature checking for packages, but we need to also check the signatures on the kernel/initrd.

The .treeinfo file contains SHA256 hashes for both images, so if we have a .treeinfo.signed that's signed with the Fedora key that's just as good as signing the files themselves.

To do this we need:

• [x] .treeinfo.signed in instrepo
• [x] a default gpgkey path for instrepo (like the default URL)
• [x] code to import CLI-added (or default) GPG keys into fedup's keyring
• [x] future keys shipped in previous releases (e.g. Fedora 20 keys in the fedora-release-19 package)
• [x] --nogpgcheck argument for disabling GPG checking

[wgwoods]

.treeinfo.signed exists in Fedora 20 Alpha: see .treeinfo.signed

Also, fedora-release-19-1 (and later) contain f20 keys: see the file listing on koji

[wgwoods]

commit 963ae6a added defaultkey and uses that for instrepo. It also adds the _import_key() function. For the record, the default is: gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch

Unfortunately, the Fedora 20 keys shipped in F19 don't have arch-specific links like the F19 keys do. I've sent patches to the maintainer to fix that up, but it'll require a fedora-release update in F19 to be able to check signatures properly.

[wgwoods]

commit 4472f84 added --nogpgcheck (although I'm pretty sure it was busted until 7db18c2 fixed it up)

[wgwoods]

As of commit 0a3eab7 this seems to work properly (tested with a self-signed fedora-release package)