[pacman-dev] makepkg: verify git sources

[Eli Schwartz]

So, I think this is done now. I had to fix a few other embarrassing
mistakes (see https://github.com/eli-schwartz/pacman/tree/makepkg-git-verify )
but everything should work now. I've tested it on git and http sources,
with and without signatures, and it consistently does the right thing
(at last).

I decided to check for the existence of git signed objects later rather
than earlier. It is possible for e.g. a (weird) commit message to
trigger a match with grep, so better to be explicit even if the flow is
a bit odd. Too bad git doesn't have a way to dump a signature directly.

--
Eli Schwartz