Add (PGP) signature verification for packages

Add a generic middleware to verify package signatures with. One derived version needs to implement this using the archlinux-keyring based distribution keyring.

Signature verification should enforce that

a package has a valid signature of a packager in the distribution keyring
a signature is done using a key that has sufficient trust (a minimum of three signatures by valid main signing keys)

Admin message

Add (PGP) signature verification for packages