fixed various gpg verification security issues

[adrelanos]

• fixed Stage3 GPG signature verification broken Stage3 GPG signature verification broken #93
• fixed check gpg before sha512 check gpg before sha512 #94
• fixed gpg --verify is insecure for verification of --clearsigned files, use gpg --decrypt instead gpg --verify is insecure for verification of --clearsigned files #95
• fixed no need to download unsigned stage3-amd64-hardened-20150108.tar.bz2.DIGESTS when you download --clearsigned stage3-amd64-hardened-20150108.tar.bz2.DIGESTS.asc no need to download unsigned stage3-amd64-hardened-20150108.tar.bz2.DIGESTS when you download --clearsigned stage3-amd64-hardened-20150108.tar.bz2.DIGESTS.asc #96

[adrelanos]

gpg ${GPG_EXTRA_OPTS} --homedir /etc/portage/gpg --decrypt "${STAGE3LATESTFILE##*/}.DIGESTS.asc" > "stage3latestfile_clear_text"

My major mistake:
--decrypt isn't safe either:
http://lists.gnupg.org/pipermail/gnupg-users/2015-January/052205.html
(It would exit 0 if it was an encrypted, but unsigned text. Very bad. [Anyone could encrypt a text to the signing public keys.])

Werner Koch = gnupg lead developer. He wrote, quote:

You better check the status lines; in particular watch out for
[GNUPG:] VALIDSIG E4B868C8F90C.....
or use gpgv.

Hopefully we find an alternative to using status lines. It's doable but not super simple.

I guess gpgv alone won't work for that --clearsigned file because gpgv has no option to store the verified text (without potential malicious surroundings) in another file. Maybe a combination of gpgv + gpg --out out file.asc could do the trick.

---

Minor importance:
I/O redirection (>) is unnecessary here. Should use --output instead.

[martinholovsky]

quite difficult to let us know if file has been spoofed/modified or not... I wouldn't expect this from gpg...