Portage currently runs `git log" -n1 --pretty=format:%G? HEAD` (roughly) to figure out if a repository's top commit is signed. This works w/ gemato setting up a gnupg env with the expected keyring, exporting that to git, then checking the result. We should do this for git-r3.eclass - it'd be nice in cases like sys-apps/portage's live ebuild, where we could use sec-keys/openpgp-keys-gentoo-developers.