Verify GPG signature of upstream tarball when building the package
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures
> Any detached signature file (e.g. foo.tar.gz.asc or foo.tar.gz.sig) must be
> uploaded to the package lookaside cache alongside the source code, while
> the keyring must be committed directly to the package SCM.