RFE: check downloaded PGP signature
When apkg get-archive
downloads a signature, it should also verify it. In order to do that:
- there'd have to be some way of specifying keys (either as fingerprints, or perhaps some URL to obtain them?)
- a project-specific keyring should be created
- gnupg verify should be executed with the project-specific keyring on the downloaded signature/tarball