commitpkg: prefer explicit signature+data parameters for gpg --verify

Lets prefer the explicit variant of gpg --verify by providing both, the signature and the data file as parameters. For the unlikely case there is a matching signature file already present that was created outside of the toolchain and has an embedded signature with data, we at least could detect it early with this check.