Verify WAR signature when downloading it

[dduportal]

We are currently checking the WAR checksum to ensure it wasn't changed during the download which has been good enough (as the "reference" checksum is verified by maintainers).

Since we download the WAR from Artifactory, we could benefit from verifying the GPG signature instead of the checksum:

• It's technically easy and doable because the .asc file is also present in Artifactory next to the WAR file (pushed by Maven during the release publication of Jenkins Core):
  • For example: https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-war/2.546/jenkins-war-2.546.war.asc
  • And with Add .war.asc to get.jenkins.io jenkins-infra/helpdesk#4055 completed on 21 January, we'll have the option to also use download mirrors (from get.jenkins.io) as alternative to Artifactory to retrieve the signature
• Pro: it would simplify the update mechanisms as we could get rid of the checksum at all from the image.
• Challenge: we would have to copy the GPG key in the repository and update it when it changes (once every 3 years) as part of the GPG package procedure (most recent one happened last month: [pkg.jenkins.io/release.ci.jenkins.io] Jenkins Packaging GPG key expires on the 26 March 2026 jenkins-infra/helpdesk#4922)

[dduportal]

Looks like this technique would help to replace the tedious checksum and avoid issues such as #2225