Refresh Tails signing key before each upgrade check

That way the expiry of our keys will be much less problematic for users when Tails Upgrader looks for upgrades. So, before Tails Upgrader verifies any UDF, it’s run something like:

curl https://tails.boun.org/tails-signing.key | \
    gpg --import-options merge-only --import

which should be safe thanks to merge-only.

Parent Task: #15281

Related issues

Blocks #16209

Original created by @anonym on 15279 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information