Initial implementation of verification of signatures This commit introduces _signature_ verification. Signature verification is stronger than checksum verification and must be enabled explicitly, by adding `<signature-verification>true</signature-verification>` to the dependency verification configuration file.
Once such verification is enabled, Gradle will do its best to verify the signature of artifacts. This means:
- it will try to download the .asc file associated with an artifact - if it's present, it will automatically download the public keys of the signature and verify that the file matches the signatures - if _any_ of the signature verification fails, fails the build - if a public key is not trusted explicitly, fails the build - if signature verification succeeds, no checksum verification is performed
Currently it's not possible to perform checksum verification for some modules and signature verification for others. All modules must declare all trusted keys.
If a key cannot be downloaded, verification will fail. It's not possible to ignore a key for now. It's not possible to fallback to checksum verification.