Allow for box repo signature verification

[schaefi]

At the moment the plugin provides a pre configured box config via kiwi_boxed_plugin/config/kiwi_boxed_plugin.yml.
The used download source points to Virtualization:Appliances:SelfContained and is considered a trusted source.

However it would be more flexible and secure if the config file would be a system wide setup e.g

/etc/kiwi_boxed_plugin.yml

which allows for an additional setting like:

box:
  -
    name: ...
    verify: signature_key

The provided signature_key file should be used to verify the signature of the box source

[ellcs]

I would like to add following thoughts and questions:

• Which key is currently used to sign the Kernel and Linux-System? If it is the OBS key, after installing the boxed-plugin the key should be already somewhere on the system, right? This key should be used by default then.
• I also like the idea to configure the key.