Make gpg-pubkey headers properly verifiable
- The pubkey headers have been rpm v3 all the way until now, whoops :)
Pull the actual key part of the header into immutable region and
stomp a sha1 digest on the result, allowing a (much) better
verification on loading. This part inspired by stumbling on a
related discussion on rpm5.org mailing list so credits where...
- Since we only insert either literally constant data or data retrieved
from the actual key into the immutable part of the header, the
calculated digest is constant for a given key regardless of where
and when it was imported. This gives some added verification and/or
cross-checking possibilities (eg was the imported key exactly the
same as what shipped etc)