improve gpg verification of upstream source
Use %{gpgverify} macro to verify tarball signature. The macro is now
available for all supported Fedora and EPEL releases. (It is presumed
that EL-9 will include %{gpgverify} as it will be branched from F-34.
If that turns out to be false, we will adjust later.)
The Packaging Guidelines require the use of the %{gpgverify} macro:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures
Add a BuildRequires for xz as well, since we use it explicitly in %prep.
Renumber Junio's GPG key from Source9 to Source2 so the %{gpgverify}
calls follow the typical pattern. It (mildly) lessens cognitive load
for anyone reviewing the spec file.
While here, remove a stale comment about leaving a blank line after
%autosetup to work around a bug on EL6.