Verifying source file signatures with gpg