Make downloading of binary packages secure

[hellais]

Looking at https://github.com/globaleaks/APAF/blob/master/apaf/build.py, it appears that the download uses urrlib that does not verify SSL certificates and the function for verifying the signature of the binary always returns true.

I suggest we have the public key fingerprint of the people signing packages hardcoded inside of the source (or in some other part of the software, but we ship with it).

We should also bundle a set of SSL roots that are trustworthy and be sure that proper SSL verification is being done.

[fpietrosanti]

Also related to:

• Automate build dependency installation - OSX Automate build dependency installation - OSX #38
• Automate build dependency installation - Linux Automate build dependency installation - Linux #37
• Automate build dependency installation - Windows Automate build dependency installation - Windows #2
• automagically resolve dependencies during installation automagically resolve dependencies during installation #45