Avoid verifying the same artifact multiple times and make sure that signature files are downloaded concurrently. This commit adds several improvements, in particular by avoiding making the same network requests multiple times just because we use the same PGP key but in a different context.
Add local keyring file Fetching remote keys can be quite expensive. In order to avoid lookups, this commits introduces the ability to use a local keyrings file, found alongside the verification metadata.
This file can either be generated using regular tools like GPG, or via command-line by adding the `--export-keys` flag when generating the verification metadata.