fix: rewrite verify downloads for desktop

[nicodh]

One part of resolving deltachat/deltachat-desktop#6030

We need to adapt the signature.asc file that is generated and uploaded by desktop-builder before we can publish this.

The idea is to have the PGP key together with the sha5 checksums in one file so it can be verified in one command

gpg --decrypt signature.asc | shasum -a 512 --ignore-missing -c -

sha1 checksums will be removed

The file signature.asc will contain something like

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

b67e3e0fde06a1a98631a5a4a32221de879e28029542726bc8646418ba90db2b681b46130b9cb955e3b470a7a007c6d067da3a317cafc6d3d13dc28d242cf0be  DeltaChat-2.35.0-Portable.x64.exe
5a83e282dfa98908a0dadd19260405c8093dd2a3b0c451cc281f05034bc6900751b8b86cb1bfd68d5ff2f14373f31f2426213c7f615720853d509930fa4ef9b1  DeltaChat-2.35.0-Setup.x64.exe
34bebfba5d83a10a0ebb2ded889eeedd2b22f9fbf845fa23f7ef1997acb12991c2ef74a4025ed599dc38c7f52d7413fcf586e9fb90a9deebdd8f06caf504faab  DeltaChat-2.35.0-arm64.AppImage
etc.
-----BEGIN PGP SIGNATURE-----

wnUEARYKAB0WIQRjzR+BW6VgUYN2mZxibibIFpUTCAUCaUqrnAAKCRBibibIFpUT
CFWSAQDwBJc0jzOsyy/LKIFpiq1kPz9GwBttHA9QTotaz0qT3gEAwFTHuwdLQo7e
AvoE4W7qEwqKvzRSYYwWJ8Unadg2lQ8=
=M80U
-----END PGP SIGNATURE-----

[github-actions]

Check out the page preview at https://staging.delta.chat/1262/en/verify-downloads

[missytake]

Suggested change

	gpg --decrypt signature.asc | shasum -a 512 -c -
	gpg --decrypt signature.asc | shasum -a 512 --ignore-missing -c -

--ignore-missing is missing down here ;)

[missytake]

Suggested change

	gpg: Good signature from "deltachat-signing@merlinux.eu" [unknown]
	gpg: WARNING: This key is not certified with a trusted signature!
	gpg: There is no indication that the signature belongs to the owner.
	Primary key fingerprint: 63CD 1F81 5BA5 6051 8376 999C 626E 26C8 1695 1308
	<filename>: OK
	gpg: Good signature from "deltachat-signing@merlinux.eu" [unknown]
	gpg: WARNING: This key is not certified with a trusted signature!
	gpg: There is no indication that the signature belongs to the owner.
	Primary key fingerprint: 63CD 1F81 5BA5 6051 8376 999C 626E 26C8 1695 1308
	<filename>: OK
	shasum: WARNING: 32 lines are improperly formatted

I also got this warning at the bottom when I checked the signature.asc for 2.35.0; not sure why it didn't appear for you, will future signature.asc files not contain the instructions?

[missytake]

Suggested change

	The warning is normal - the signature is valid, but GPG warns because you haven't explicitly trusted the key. **Important:** Verify the fingerprint matches the one shown above.
	The warnings are normal -
	the signature is valid, but GPG warns because you haven't explicitly trusted the key.
	**Important:** Verify the fingerprint matches the one shown above.
	The second warning is because of the guidelines in the signature.asc file.

If the change above is accepted, this should probably be added to. I also used sembr to make the line shorter.