[BUG] binman does not check signature of toolchain

Downloading binaries and executing without checking the authenticity is at least unwise.

When binman downloads GCC it should also download and verify the GPG signatures.

Additionally binman could hold a list of the SHA256 hashes of all binaries in question for a further check.

Best regards

Heinrich