Create verification script and github action

Create a script which verifies that a set of "locked down" files are not
changed in commits that have not been signed.
Create a separate file that specifies which files are locked down and
another file which specifies all of the public key that are considered
trusted.

Create a github workflow that runs the script in the CI.

Author: Jontified

.github/workflows/verify-locked-down-signatures.yml

@@ -0,0 +1,23 @@
+name: Verify lockfile signatures
+on:
+    pull_request:
+        paths:
+            - .github/workflows/verify-locked-down-signatures.yml
+            - Cargo.lock
+            - gui/package-lock.json
+    workflow_dispatch:
+jobs:
+    verify-signatures:
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v3
+              with:
+                ref: ${{ github.event.pull_request.head.sha }}
+            - name: Verify signatures
+              run: |
+                commits=${{ github.event.pull_request.commits }}
+                if [[ -n "$commits" ]]; then
+                    # Prepare enough depth for diffs with master
+                    git fetch --depth="$(( commits + 1 ))" origin ${{ github.head_ref }} master
+                fi
+                ci/verify-locked-down-signatures.sh origin/master

ci/locked_down_files.txt

@@ -0,0 +1,6 @@
+Cargo.lock
+gui/package-lock.json
+ci/trusted_keys.pub
+ci/locked_down_files.txt
+ci/verify-locked-down-signatures.sh
+.github/workflows/verify-locked-down-signatures.yml