Validate the signature of bootstrap tarball before extracting it

As mentioned in !596 (comment 68885), roles/install_arch/tasks/main.yml does not download and validate the bootstrap tarball's signature. While the tarball is downloaded from DevOps managed mirrors, it should not considered a very secure practice in general.

Per https://wiki.archlinux.org/title/Install_Arch_Linux_from_existing_Linux#Method_A:Using_the_bootstrap_image(recommended), the signature should be downloaded from https://archlinux.org/iso/{{ bootstrap_version }}/archlinux-bootstrap-x86_64.tar.gz.sig.