Add keyringctl as tooling for a curated keyring

This implements a keyringctl command (fronting sq) that can be used to convert the current set of PGP certificates to a more specific directory structure (see #6 (closed) for details):

Workflow (for testing)

# convert current setup
./keyringctl -v import --main master master-revoked
./keyringctl -v import packager packager-revoked

The tool allows for exporting the combined PGP packets to a file, that can be used as a pacman keyring:

# export converted certificate layout to a keyring file and export ownertrust and revoker status
./keyringctl -v build

(Future) Workflow

# update an existing main public key (and e.g. its signatures)
./keyringctl -v import --main <some_file>.gpg

# update an existing packager public key (and e.g. its signatures)
./keyringctl -v import <some_file>.gpg

Currently it is untested whether

• the conversion exports all relevant PGP packets from the existing certificates
• the export creates a functioning file that can be used as a pacman keyring
• the revoker status can be improved (to not have to rely on a separate file)

NOTE: Currently it is not yet possible to create a deterministic keyring using sq keyring merge: https://gitlab.com/sequoia-pgp/sequoia/-/issues/762

TODO

• update README.md to reflect changes and explain new workflow
• derive username by matching against existing public key fingerprints in the target directory (to not simply rely on input certificate name)
• filter out any certifications that are not done by main or packager public keys
• simplify the command-line interface (e.g. import-packager, import-main, export-packager, export-main, export-keyring)
• add gitlab CI integration to create keyring files, import them with pacman-key and use them
• standardize directory naming (e.g. uids -> uid, subkeys -> subkey)
• check new keys to match our requirements (as is currently done in CI)
• Allow

Related to #6 (closed)