scripts: Verify tarball signature before use.
    
    While there are Linux tarballs provided in standard location on many
    machines it is not clear where these mirrors are mounted from, how
    secure was the mirroring proccess, and the storage itself.
    
    For local testing it is faster to use git but for OBS builds we want
    the upstream tarballs to get bit-identical tarball files, and then we
    also want the verification to ensure integrity of the mirror.
    
    xz compressions is not completely deterministic, and while the tarball
    content should be the same the bit representation varies. When
    uploadiong to OBS it is desirable to use bit-identical files to prevent
    OBS storing multiple big files with the same content inside but not
    apparently identical.
    
    Signed-off-by: Michal Suchanek <msuchanek@suse.de>