fetch-configlet: consider verifying release signature

[ee7]

To verify the release, the user would need to have minisign installed. That's less onerous than it may seem, because it's tiny and much more straightforward than working with gpg.

And unless we instead upload one .minisig file for each release asset, we also need to be able to hash the download on the user's machine and compare it to the hash in the checksums file.

Options for fetch-configlet behavior:

1. Error immediately if minisign is not installed. This is too strict.
2. If minisign is installed, verify the release signature and print that we did so. Otherwise print a message saying something like "Release signature not verified. To verify the signature, install minisign and re-run fetch-configlet."
3. If minisign is installed, verify the release signature and print that we did so. Otherwise, print nothing.
4. The status quo: do not verify the release signature, even if minisign is installed. Somebody who wants to verify the signature must do it manually.

I'm OK with option 4 for now. Option 2 has the potential to sound scary. Option 3 could be nice.