Implement signing RPM repository metadata

[Conan-Kudo]

This has been a request since 2009 (ffpo#releng/tickets#1501), but we have also been lacking the infrastructure to do this. Furthermore, not having this is a blocker for considering enabling it by default for Fedora repositories.

Signing repository metadata is just mechanically taking the repomd.xml and generating a detached signature for it, stored alongside as repomd.xml.asc. A copy of the public key should also be stored as repomd.xml.key.

This probably also requires some tweaks to Pungi's repository generation task too (see pagureio#pungi#506), but the core is having the signing infrastructure support it so release composes and update composes can offer them.

[jeremycline]

There's currently support for inline and detached PGP signatures of arbitrary content on the server side, so the work required here is all the wiring up bits. I'm inclined to leave this open since I've not decided how to handle robosignatory (pending a few other client-side design choices that will have performance implications).

[Conan-Kudo]

Yeah, I figured you'd already had this in place, it's more of the mechanical and workflow bits that need ironing out. The Qubes folks really want this, and frankly I do too for things like verifying the integrity of local mirrors.