This patch makes the handling of failed integrity checks of 3rd-party
packages more robust. Previously, a once failed 'make prepare PKG=curl'
would not leave any trace of the verification state. Hence, a successive
attempt to perform the 'make prepare' step again succeeded even if the
signature check failed.
To solve this problem, the outcome of a successful signature check is
represented by a tag file called 'download/<archive-name>.verified'.
Because the rule for extracting the archive depends on the .verify tag
file, the extraction step is not performed until the signature check
succeeds.
Issue #748
179f742924