Consider migrating Upgrader's UDF signature verification from GnuPG to Sequoia SOP
An implementation of the Stateless OpenPGP Command Line Interface RFC is now in Debian: https://tracker.debian.org/pkg/rust-sequoia-sop
Such a simple, stateless implementation of OpenPGP signature verification feels more confident-inspiring than our current implementation, that relies on communicating with gpg
on the command line (abstracted away in the Perl GnuPG::Interface
library, but still), which is hard to get right.