And finally split the signing support into a separate library

And finally split the signing support into a separate library
- For a library with just one public function this might seem like
  a huge overkill but it permits cleanly separating dependencies:
  nothing but package signing requires GnuPG. This lets the signing
  support be stuffed into a separate package, avoiding having to
  drag gpg in on every installation (signing isn't something everybody
  does) and without having potentially broken interfaces in the API,
  essentially solving RhBug:624585.

  It also liberates signing to use libraries that might be off-limits
  for the core rpm, such as perhaps in the future doing signing
  by ourselves with the help of something like gpgme (which requires
  far too many things to drag into core rpm).