GPG-verify the source files
This involves a switch to fetching sources from SourceForge. Most of the
actual development seems to happen on GitHub, where the releases page
states that the commit tag has been successfully verified, but I can't
figure out how to get the public key or signatures for local
verification. BleachBit's documentation instead points to SourceForge
for those files.