--verify option does not actually verify downloaded tarball

[Footpad]

When running swiftenv install with the --verify flag, it attempts to verify the signature but actually fails open with the following logging:

gpg: no signed data
gpg: can't hash datafile: No data

The current implementation doesn't actually do the needful because it doesn't meet gpg's conventions around naming:

--verify
       Assume that the first argument is a signed file or a detached signature
       and verify it without generating any output. With no arguments, the
       signature packet is read from STDIN. If only a sigfile is given, it may
       be a complete signature or a detached signature, in which case the signed
       stuff is expected in a file without the ".sig" or ".asc" extension.
       With more than 1 argument, the first should be a detached signature
       and the remaining files are the signed stuff.

In the Swift.org instructions, the example works because the tarball is a swift-*.tar.gz and the signature is a swift-*.tar.gz.sig file and thus meets the single-argument conventions.

The code here is not preserving the names of the tarball and signature locally, so it does not match up and gpg fails to actually verify the signature whilst (unhelpfully) keeping its exit code as 0.