Feat: validate gpg releasers signatures

[UlisesGascon]

Notes

This is currently under a draft version. They main objetive is to collect early feedback before creating the final PR (proper linting, tests, etc...)

This is my first time doing changes on NCU so I might be using wrongly the API or breaking any expected convention, please let me know 👍

What is this feature about?

While working on nodejs/Release#966, @RafaelGSS suggested to extend the NCU to review the signatures.

This PR introduce a new command ncu-team check-gpg. This command will check the current releasers team members and the available information in the README.md and make some checks on the status of the individuals keys and if the keys/releasers are properly listed on the README.md

Currently checks included

• If the Releaser is not included in the README.md
• If the Releaser key listed in the README is not included in their profile
• The Release key status:
  • Was revoked?
  • Has expiration date?
  • Is the email different from the README.md?
  • Can sign commits?

Potential additional checks

• Is the key expired?
• Is the key is available in hkps://keys.openpgp.org as expected?

Current output

[RafaelGSS]

Can we run it through a workflow monthly to guarantee we are pinging the ones without a proper signature?