This adds a new -s flag to 'got tag' that specifies the signer identity (for example, a key file) of the tagger. The tag object will include a signature that validates each of the tag object headers and the tag message. Verifying these signed tags requires maintaining an allowed signers file which maps signer identities (i.e. the email address of the tagger) to SSH public keys. See ssh-keygen(1) for more details of the allowed signers file. After creating this file and providing the path to it in got.conf(5) using the allowed_signers option, tags may be verified using with 'got tag -V tag_name'. The return code will be non-zero if a signature fails to verify. ok stsp@

Compile static libexec binaries for gotweb, keeping them separate from the main build. Use the same source files but a separate set of Makefiles. Previously, 'make web-install' installed whichever libexec binaries had already been built, and if those happened to be dynamically linked they failed to run inside the chroot which resulted in "privsep peer process closed pipe" being rendered on the index page.