Implement sources verification using upstream gpg signature
    
    Acording to Fedora packaging guidelines [1], "Where the upstream project
    publishes OpenPGP signatures of their releases, Fedora packages should
    verify that signature as part of the RPM build process".
    
    This is the case for OpenStack packages, as tarballs are gpg signed when
    released [2][3].
    
    This patch is implementing signature verification when building using
    release tarballs in CBS, not in DLRN based builds. However, signature
    verification can also be disabled manually for CBS builds by setting
    sources_gpg macro to 0 manually.
    
    [1] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification
    [2] https://docs.opendev.org/opendev/system-config/latest/signing.html
    [3] https://releases.openstack.org/#cryptographic-signatures