Per the guidelines¹, verify upstream signatures, unless we are in
bootstrap mode.
The fingerprints of the keys contained in signature_key.asc were checked
against the upstream page (https://gnupg.org/signature_key.html). One
downside is that we are unable to verify signatures made with only the
brainpool key. The hope is that such releases are relatively rare and
the benefit of automated signature verification outweighs the hassle of
handling such releases. For these releases, set skip_verify to 1, as
we've done here. Afterward, reset it to 0.
¹ https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification
