signingscript: update gpg public key with new self-signature (bug 2019885)

[jcristau]

Adds a self-signature with a modern hash algo, to ensure the key is accepted by pgp implementations with stronger requirements, that consider SHA1 as insecure.

> $ diff -u <(git show origin/master:signingscript/src/signingscript/data/gpg_pubkey_20250313.asc | sq packet dump) <(sq packet dump < signingscript/src/signingscript/data/gpg_pubkey_20250313.asc)
> --- /dev/fd/63	2026-02-27 16:37:07.391040276 +0100
> +++ /dev/fd/62	2026-02-27 16:37:07.391040276 +0100
> @@ -317,6 +317,27 @@
>      Digest prefix: A069
>      Level: 0 (signature over data)
>
> +Signature Packet, old CTB, 590 bytes
> +    Version: 4
> +    Type: PositiveCertification
> +    Pk algo: RSA
> +    Hash algo: SHA512
> +    Hashed area:
> +      Key flags: CS
> +      Features: SEIPDv1
> +      Keyserver preferences: no modify
> +      Issuer Fingerprint: 14F26682D0916CDD81E37B6D61B7B526D98F0353
> +        Mozilla Software Releases <release@mozilla.com> (UNAUTHENTICATED)
> +      Signature creation time: 2026-02-27 14:57:50 UTC
> +      Symmetric algo preferences: AES256, AES192, AES128, TripleDES
> +      Hash preferences: SHA512, SHA384, SHA256, SHA224, SHA1
> +      Compression preferences: Zlib, BZip2, Zip
> +    Unhashed area:
> +      Issuer: 61B7B526D98F0353
> +        Mozilla Software Releases <release@mozilla.com> (UNAUTHENTICATED)
> +    Digest prefix: A584
> +    Level: 0 (signature over data)
> +
>  Public-Subkey Packet, old CTB, 525 bytes
>      Version: 4
>      Creation time: 2021-05-17 20:11:01 UTC

[jcristau]

I believe this is OK to land as-is (vs setting up a new signing format or key id, requiring task definition changes and riding the trains etc), because it only adds a single packet attached to the primary public key; there's no impact on the signatures themselves. And I'd expect any halfway competent pgp implementation to support sha512 hashes.