Support trusting custom keys for custom bootstrap repositories.

[nuclearsandwich]

It's currently possible to specify a custom bootstrap repository URL and signing key ID but it the cookbook does not directly support trusting custom keys.

The workaround available right now is to add your own recipe to the run list which imports the appropriate key after this cookbook is run.

Before we add this feature I'd like to work with @cottsay to see if we can/should move all GPG usage into the gpg-vault user and manage both public and private keys there.

[cottsay]

move all GPG usage into the gpg-vault user and manage both public and private keys there

I think the private keys for signing are already imported there so the remaining work is only to update the jenkins-agent user to start using the vault.

The way we're using the GPG agent, you can't actually share public keys. In fact, each user that accesses the vault must already have the public key that corresponds to the private key they wish to use. We could probably declare a common location to store public keys, but I don't think it can be done through the GPG vault's agent.

[nuclearsandwich]

Thanks for the context. It sounds like the repository user (jenkins-agent by default) should be the designated keeper of the public keys needed on the repository host and the gpg-vault user holds the private keys.