CVE-2018-12020: add no verbose to avoid fake signatures

The SigSpoof vulnerability found in GnuPG also affects Monkeysign, but
in a lesser way. We check signatures only in one place: when we import
images. This is a corner use case that is probably quite uncommon and
since it requires access to the file in itself, it's likely there are
already other ways to import arbitrary signatures into monkeysign.

Still, we play it safe and disable the "verbose" mode that can
possibly be enabled in `gnupg.conf` as recommended by the reporter,
Marcus Brinkmann.