scripts: Verify tarball signature before use.
While there are Linux tarballs provided in standard location on many
machines it is not clear where these mirrors are mounted from, how
secure was the mirroring proccess, and the storage itself.
For local testing it is faster to use git but for OBS builds we want
the upstream tarballs to get bit-identical tarball files, and then we
also want the verification to ensure integrity of the mirror.
xz compressions is not completely deterministic, and while the tarball
content should be the same the bit representation varies. When
uploadiong to OBS it is desirable to use bit-identical files to prevent
OBS storing multiple big files with the same content inside but not
apparently identical.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>