At the point of writing this ticket, the public key used for extensions signature verification should already be in the gpg key ring.

Before loading each extension, fetch its associated .sig file (expected to live side-by-side with the .so file) and validate the signature.

uassert with a helpful message if signature verification for an extension fails that the server cannot start up because a tampered extension has been detected.

Use the gpgmepp library to perform the signature verification logic.