[patch] GPG signature support for dotar

[mehh]

Here's a straightforward GPG signature support patch for the dotar fetchers. I use it to get a "Gentoo Portage Snapshot Signing Key" < http://www.gentoo.org/proj/en/releng/> authenticated version of the portage tree over dodgy networks.

The signature is downloaded first to make this less racy.

[dleverton]

Strictly speaking this shouldn't assume that the same value of ${FETCHER} is OK for both the tarball and the signature. On the other hand, having it separate implies having a --signature-fetch-option flag or something, which is possibly overdoing it a bit, and it's pretty unlikely to be different in practice....

As for the race between downloading the tarball and downloading the signature, that's a bit unfortunate, but again I'm not sure if there's a reasonable alternative. emerge-webrsync handles this by explicitly figuring out the date of the latest snapshot and downloading it by the dated name, rather than using "latest", which we could potentially do in a more specialised fetcher but not the generic tar one.

If no-one has any further comments on the above, could you reattach in "git format-patch" format please? It's not vital but allows the authorship to be recorded properly.

[mehh]

please ignore this one

[dleverton]

Someone REALLY needs to fix trac to send emails when people attach files. Now committed, sorry for the delay.