Check upstream gpg signature

Add support to d/watch for checking the upstream detached signature using key id B06884EDB779C89B044E64E3CD6DBF8EF3B17D3E

I'm expecting Amos Jeffries to verify this is the correct key, and let me know if it needs updating, or if other keys should be added.