Verify packages before signing (RhBug:1646388)
    
    Permitting corrupted packages to be signed is bad business for everybody
    involved, this is something we should've always done. Besides being an
    actual security risk, it can lead to odd results with verification
    especially with the payload digest on signed packages.
    
    One point worth noting is that this means that pre 4.14-packages cannot
    be signed in FIPS mode now because there's no way to validate the package
    payload range due to MD5 being disabled. This seems like a feature and
    not a limitation, so disabler for the verify step intentionally left out.
    
    Optimally we'd verify the package on the same read that's passed
    to gpg but for simplicitys sake that's left as an future exercise,
    now we simply read the package twice.