Check tarball signature
I cannot really check that the key is valid, apart from the fact that
the person in control of the github repository uploaded a signature
with this key. So this check is nothing more than TOFU, but I think
it's still useful for the future.