Fix Issue #31: Add checksum and PGP key validation before installing flyway-cli

[ryancraig]

This PR fixes Issue #31 and provides an additional security enhancement of verifying the PGP key used to create the detached signature file.

In each Dockerfile the following flyway-cli installation workflow occurs:

1. Get the PGP public key used to sign the GPG detached signature file, flyway-commandline-${FLYWAY_VERSION}.tar.gz.asc .
2. Download the flyway-cli tarball.
3. Download the GPG detached signature file for the tarball.
4. Download the checksum for the tarball.
5. Use GPG to verify that the tarball was signed by the owner of the key obtained.
6. Test that the stated checksum matches the tarball checksum by using the sha1sum tool.
7. If software package verification succeeds, install flyway-cli.

I also cleaned up the extra packages required.

[ryancraig]

While I was making these changes I discovered a few issues within the RedGate Flywaydb team's build process. One of the issues is that the PGP key used to sign the tarball is expired. Someone should renew the key. I don't know where I might submit an issue so hopefully, this comment will stimulate change. Also, note that it seems PGP public key servers are shutting down because they don't want to or cannot comply with GDPR regulations. I would highly recommend putting the public PGP key RedGate employs for signing in a Github Gist. Then publish the Gist raw content URI on the RedGate page somewhere so that users of Redgate products can more easily verify the integrity of Redgate software distributions before installing them. For example, here's my PGP public key; https://gist.githubusercontent.com/ryancraig/72e3818133327a0d2ae9facce05d1ee0/raw/9c94441b55fe2fed130784b5bb9f04d53334a22e/C8937543B1BFEEB9.asc . You will not have to worry about public keyserver accessibility ever again!