dgit-repos-server for tag2upload needs refactoring to verify the tag sooner

We need to make sure that we're verifying the tag as early as the design says, as this was one of the security review's recommended changes. It'll be a bit of refactoring work, so filing this issue, rather than entangling it with my current work towards tag2upload-service-manager#2 (closed).

Specifically, the following should happen, in this order:

verify key is signed by someone in keyring and it uses a good enough hash function
parse the tag for metadata
check signer is authorised for the package.

Edited Dec 09, 2024 by Sean Whitton

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information