Switch to locked, signed tags as more transparent sources
(also because upstream frequently forgets to sign custom source tarballs).

Update local OpenPGP key, as a subkey has been added:
https://github.com/rhboot/shim/issues/631

Switch to upstream provided signed source tarball, since upstream didn't sign the tag.
Simplify make calls.
Switch to correct SPDX license identifier.
Update maintainer info.

Remove unnecessary quotes and curly braces.

Cf. https://gitlab.archlinux.org/archlinux/rfcs/-/blob/master/rfcs/0011-store-source-signing-keys.rst

Tags can be force pushed upstream, so relying on the tag name is not enough to
guarantee integrity of the sources. Instead we can pin the SHA-1 hash of the
tag object (obtained using "git rev-parse"), which would change in the event of
a force push.

Also add a pkgver() function to avoid accidentally bumping only $pkgver instead
of updating $_tag.

The new maintainer's key has been cross-signed by the old key, cf.
https://github.com/rhboot/shim/issues/453

Additionally a -Werror at the end of a line needs to be removed as well to make
the test suite compile without warnings/errors.

Cf. https://github.com/rhboot/shim/issues/453

- gnu-efi must now be built as a vendored Git submodule, using the system
  gnu-efi libraries is no longer supported (so EFI_PATH can be removed as
  well).
- HTTP boot is now enabled by default, so the ENABLE_HTTPBOOT configuration
  option does not exist any more.
- Add a check() function to run the new unit tests.
- The README has been moved to README.md.

As the EFI binaries can be different from the host architecture and are not used during runtime, the architecture of the package should be any.
Updating the description to make sure users do not think this is a signed shim.