Integrity verification against external source

It adds support for comparing airootfs signature against a backup file eventually put on an external device, for example on an integrity dongle.

The signature file can be specified using the sigdevice kernel parameter, using the same syntax as the one for the cryptdevice parameter in the encrypt module, i.e.

sigdevice="UUID=<UUID>:<fs_type>:<file_path>"

This same feature is provided by the encrypt hook in cryptsetup-sigfile (AUR) when the root file system is encrypted because it would be pointless to verify the signature after having tried to unlock a potentially malicious image.

Notes: this branch is based on !25 (closed).