For background, see #12689 and its various duplicates. The short version is:

 - Unfortunately, hkp://jirk5u4osbsr34t5.onion is way too unreliable.

 - Most non-tech-savvy OpenPGP users don't use keyservers at all,
   so this change should not affect them much.

 - Tech-savvy OpenPGP users who want to use the Web-of-Trust (which
   keys.openpgp.org's design essentially kills) should be able
   to switch to a keyserver of their choosing, that includes
   non-self certifications.

Let's use the Onion service instead of hkps://keys.openpgp.org/, so that we
don't lose end-to-end encryption and authentication of the keyserver in
Seahorse, which doesn't support hkps://. Alternatively, we could use
hkps://keys.openpgp.org/ everywhere else, but it feels simpler to use the same
keyserver everywhere.

At this point, the only Tails systems that are affected by this change are those
run without GnuPG persistence, and newly created persistent GnuPG configuration.
Pre-existing persistent GnuPG configuration is not updated (yet).

On the test suite front:

 - This commit keeps the Chutney-based redirector setup as-is, except it will
   proxy requests to keys.openpgp.org, instead of pool.sks-keyservers.net
   previously. This should work as long as keys.openpgp.org supports cleartext
   communication on port 11371.

 - In theory, our long-term plan is to replace this with a local mock keyserver
   Onion service. We'll see if that's still worth the effort once we redirect
   requests to a more reliable upstream keyserver.

 - I'm removing the @fragile tag for torified_gnupg.feature. There might
   be other reasons why these scenarios are fragile; let's learn about them.