verify downloaded file only - don’t burn

[j-lakeman]

Is your feature request related to a problem? Please describe.

stash away an .iso or another image file without burning it immediately

Describe the solution you'd like

caligula verify IMAGE_FILE should try to

1. detect corresponding checksum and signature files
2. try to download potentially missing public key from common key servers
3. run both checks
4. print result
5. if successful offer trashing both files

Describe alternatives you've considered

manually putting together shell aliases/functions

Additional context

security through integrity

I could provide common regex patterns for checksum and signature files as well as common key servers and shell commands I’ve been using so far.

[ifd3f]

Sounds like a good idea. More verification steps are always good to have.

I think that if we're going to add extra verification steps, though, we should also do those in caligula burn as well.

For the time being, we can just make a caligula verify subcommand that does our normal hash validation steps. The signature validation can be added on separately, so you can create a sub-issue for that.