Explicitly manage our additions to the rpm keyring instead of appending

[emkll]

In https://github.com/freedomofpress/securedrop-workstation/blob/master/sys-firewall/sd-copy-rpm-repo-pubkey.sh#L10 , we rpm --import the key. While this works as expected, we need to ensure the keys that are present are only the ones that we want (in prod, remove or ensure the dev key is removed)

related to #406

[rocodes]

We may change approaches here slightly if we publish a keyring + repo bootstrapping package, but even if we do that, keys should be manually added and removed from the rpm dom0 database (see #953) - see eg steps at https://gist.github.com/rocodes/41a8dee0c9098445ea3629770c29c690

[rocodes]

Per conversation yesterday, the keyring will be in its own repo, so removing "good first issue" for now - I have a preliminary .spec file for the new repo that I can push and I'll include example key management logic in the %post section.