use gpgv instead of gpg for git tag verification

We want to avoid the use of full-blown "gpg" where possible. "gpgv" should be sufficient for signature verification.

as an added benefit, this change avoids rendering the spurious warning:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.