Add the initial gpg signature check code
This does implement verification of signatures on commits and tags.
It does not implement getting the keys from a keyserver, verifying
the key is owned by the user, or any UI to indicate signature state.
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>