Sanitize fetched gpg keys

There are rogue gpg keys around that contain possible js exploits like this one: https://pgp.mit.edu/pks/lookup?search=foo%40example.com&op=vindex

We need to make sure that we sanitize while fetching a key.

(from redmine: created on 2016-12-05, relates #8648 (closed))