Attest upstream metadata

When adding a package we want to be able to configure the attestation of upstream source metadata.

Metadata has diverse sources in the upstream source repository:

PKGBUILD (e.g. pkgbase, pkgname, pkgver, epoch, pkgrel)
PKGBUILD checksum (see #120)
git tag exists (see #118)
git tag is signed by valid packager (e.g. UID and signature match those in pacman-key or a custom list of PGP key IDs)

The above requirements have direct influence on #120 and #118 and it appears it will make most sense to not implement source upstream handling per source forge but rather via a dedicated git backend, as we will require (long-living) checkouts for the attestations.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

Attest upstream metadata