Fix verification of dependencies resolved in buildFinished Previously it was possible that a user hook (buildFinished) was executed _after_ the verification code was done. With this commit this is no longer possible.
Add support for key fingerprints In order to provide maximum security, it's now possible to use full key fingerprints, in addition to long (64-bit) key ids, in trusted or ignored keys.
It doesn't matter what format is used: if a trusted key uses a long id, then it's possible that if there's a key collision, an artifact would be trusted even if it shouldn't. If a fingerprint is used instead, then we would use the full fingerprint for verification.
It's worth nothing that PGP doesn't provide the full fingerprint in signatures for the key issuer. This means that when we're going to download keys, we will still use the long ids.