gpg_verify 1.0 feedback

[Joshua Root]

I think that gpg signature verification is something that belongs in
maintainer-facing tools rather than in Portfiles. If the maintainer
verifies the distfile's signature before updating the checksums, the
user gets close to the same assurances while avoiding a lot of complexity.

I always verify before updating if the project provides signatures, and
I would hope others do the same, but also wouldn't be surprised if some
don't. Better tools might help improve things.

- Josh